[aerogear-dev] iOS OAuth2 library throwing error on keychain read

[Corinne Krych]

Hello Michael,

Going through the link you sent me I saw  my comments from last July.
Unfortunately, the resolution of this long known keychain issue hasn't
progressed much. Besides with the limitation of closed source lib :( it is
difficult to know the details of the issue. Even in the cookbook demo app I
had to backup and use UntrustedMemoryOAuth2Session [1].

What I would recommend is going another route and implement you own secure
OAuth2Session storage[2] using encryption lib [3]. The problem is that when
you encrypt you need ti input a password which a usability trade-off to
have tokens stored in a secure encrypted version. You could use TouchID [4]
to make it easy.

++
Corinne
[1]
https://github.com/aerogear/aerogear-ios-cookbook/blob/master/Shoot/Shoot/ViewController.swift#L164
[2]
https://github.com/aerogear/aerogear-ios-oauth2/blob/master/AeroGearOAuth2/OAuth2Session.swift
[3] https://github.com/aerogear/aerogear-crypto-ios
[4] http://corinnekrych.blogspot.fr/2014/09/authenticate-with-touchid.html


On 3 February 2016 at 20:44, Michael Doo <michael at 410labs.com> wrote:

> In the Aerogear iOS OAuth2 library, getting an error when app enters
> foreground after period of being in background. Specifically, in
> TrustedPersistantOAuth2Session.swift, KeyChainWrap.read() is (very)
> occasionally throwing errSecMissingEntitlement and then throwing the user
> over to Safari for authentication. This is a show stopper bug for our app.
> Some discussion of the topic and acknowledgement by Apple here:
> https://forums.developer.apple.com/message/9225#9225.
>
> Best,
> Michael Doo
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20160204/ebec680b/attachment.html