You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+11-22Lines changed: 11 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -108,29 +108,18 @@ let signInButton = GoogleSignInButton {
108
108
let hostedButton = NSHostingView(rootView: signInButton)
109
109
```
110
110
111
-
## A Note iOS Keychain Access Groups
111
+
## A Note on iOS Keychain Access Groups
112
112
113
-
On iOS, if you do not supply a custom Keychain access group, the system creates
114
-
a Keychain access group by prepending `$(AppIdentifierPrefix)` to your bundle
115
-
ID (e.g., `$(AppIdentifierPrefix).com.example.MyApp`), which becomes the
116
-
default access group for just your app ([Apple documentation](https://developer.apple.com/documentation/security/sharing-access-to-keychain-items-among-a-collection-of-apps#Establish-your-apps-private-access-group)).
113
+
GSI uses your default (first listed) keychain access group. If you don't add a
114
+
custom keychain access group, the default keychain access group is provided by
115
+
Xcode and looks like `$(AppIdentifierPrefix)$(CFBundleIdentifier)`.
117
116
118
-
If, however, you add a new Keychain access group (and add the entitlement to
119
-
your app), then Xcode will use whatever access group is listed first in the
120
-
list as the default. So, if the shared access group is first, then it becomes
121
-
the default Keychain for your app.
122
-
123
-
The implication of this scenario is that credentials saved by GSI (via
124
-
[GTMAppAuth](https://github.com/google/GTMAppAuth)) on behalf of your app will
125
-
be stored in the shared keychain access group.
126
-
127
-
You should make sure that you want this behavior because GSI [removes Keychain
128
-
items upon fresh install](https://github.com/google/GoogleSignIn-iOS/pull/567)
117
+
GSI [removes keychain items upon fresh install](https://github.com/google/GoogleSignIn-iOS/pull/567)
129
118
to ensure that stale credentials from previous installs of your app are not
130
-
mistakenly used. This behavior can lead new installs of apps sharing the same
131
-
Keychain access group to remove Keychain credentials for apps already installed.
119
+
mistakenly used. If your app uses a shared access group by default this may
120
+
lead to new installs of apps sharing the same keychain access group to remove
121
+
keychain credentials for apps already installed.
132
122
133
-
You can mitigate this by explicitly listing the typical default access group
134
-
(or whatever you prefer) in your list first. GSI, via GTMAppAuth, will then use
135
-
that default access group. Make sure that you also update your code that writes
136
-
to the Keychain to explicitly use the shared access group as needed.
123
+
To prevent unintentional credential removal, you can explicitly list the
124
+
typical default access group (or whatever you prefer) in your list first. GSI,
0 commit comments