Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SIWA: Apple credential can't be revoked when account has 2FA #499

Open
rachelmcr opened this issue Oct 9, 2020 · 2 comments
Open

SIWA: Apple credential can't be revoked when account has 2FA #499

rachelmcr opened this issue Oct 9, 2020 · 2 comments
Labels
bug Something isn't working SIWA Sign In With Apple

Comments

@rachelmcr
Copy link
Member

In #138 we added support to listen to Apple's credentialRevokedNotification, so it could be handled in the client app. However, this only works for accounts without 2FA.

For accounts with 2FA, the Apple ID isn't written to the Keychain. (As observed by the app log checkAppleIDCredentialState: No Apple ID found. after logging in with SIWA and 2FA.) Revoking the Apple ID access for WordPress then doesn't have an effect.

To reproduce:

  1. Start with a WordPress.com account with 2FA that is connected to Apple.
  2. Log in to a client app (WordPress or WooCommerce) with SIWA.
  3. Go to Settings app > Apple ID > Password & Security > Apps using Apple ID and revoke access for WordPress.
  4. Open the client app again. Notice you are not logged out.

I reproduced this issue with both the WordPress and WooCommerce apps, and confirmed that it works as expected without 2FA but the issue appears when 2FA is enabled on the WordPress.com account.

h/t @jaclync for the troubleshooting help that identified 2FA as the source of the issue!
@rachelmcr rachelmcr added bug Something isn't working SIWA Sign In With Apple labels Oct 9, 2020
@jaclync
Copy link
Contributor

jaclync commented Oct 12, 2020

Great finding! From my testing (WCiOS & WPiOS), I was able to reproduce this issue with 2FA enabled and with one extra step between step 1 and 2 - close the client app.

If I left the app open, the app was logged out as expected; but if I closed the app and then launched it after revoking WordPress from Apple ID, the app didn't get logged out.

@jaclync
Copy link
Contributor

jaclync commented Oct 13, 2020
edited
Loading

From my testing, the Apple ID is removed from Keychain when I come back to the app from copying one-time password (OTP) from another app (1Password for example).

Because we check Apple ID credential state on each UIApplication.didBecomeActiveNotification, this is triggered after I leave the app to get OTP and then come back. However, at this point the app is still on the OTP screen and is not considered "logged in" and thus it removes the Apple ID from Keychain (code in WCiOS).

The issue is that Apple ID is saved to Keychain too early (right after SIWA) when the app might not be fully logged in yet. I plan to fix this in WCiOS by saving the Apple ID to Keychain when authentication completes (authenticator's delegate sync(credentials:onCompletion:) (WCiOS issue).

This was referenced Oct 13, 2020
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working SIWA Sign In With Apple
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jaclync @rachelmcr