Amplify Auth - apps log each other out

[dcristolovean]

Describe the bug

Assume I have 2 apps, from the same code base, using Amplify for Auth. The Auth Plugin is configured in code, not with a json file, with various values for each app. Everything works OK for years.
But it seems there's an issue with the keychain authconfiguration that result in apps logging each other out:

1. Start app A -> login -> close -> restart -> all Good, user is still logged in, session OK
2. Start app B -> login -> close -> start app A -> user no longer logged in. the fetchAuthSession.isSignedIn is suddenly false.

I enabled verbose logging and I'm seeing things like this, MANY TIMES, for both apps.

[KeychainStore] Initialized keychain with service=com.amplify.awsCognitoAuthPlugin, attributes=KeychainStoreAttributes(itemClass: "genp", service: "com.amplify.awsCognitoAuthPlugin", accessGroup: nil), accessGroup=No access group specified
[KeychainStore] Started retrieving Data from the store with key=authConfiguration
Starting execution for Auth.fetchSessionAPI
Starting execution
[KeychainStore] Successfully retrieved Data from the store with key=authConfiguration
[KeychainStore] Started setting Data for key=authConfiguration
[KeychainStore] Initialized fetching to decide whether update or add
[KeychainStore] Found existing item, updating
[KeychainStore] Successfully updated Data in keychain for key=authConfiguration

At the same time, I see also KeyChain inits with the correct bundle id:

[KeychainStore] Initialized keychain with service=Optional("CORRECT BUNDLE FOR APP A or B").AWSMobileClient, attributes=KeychainStoreAttributes(itemClass: "genp", service: "Optional("CORRECT BUNDLE FOR APP A or ").AWSMobileClient", accessGroup: nil), accessGroup=No access group specified
[KeychainStore] Started retrieving Data from the store with key=loginsMap
[KeychainStore] No Keychain item found for key=loginsMap
[KeychainStore] Initialized keychain with service=Optional("CORRECT BUNDLE FOR APP A or ").AWSMobileClient, attributes=KeychainStoreAttributes(itemClass: "genp", service: "Optional("CORRECT BUNDLE FOR APP A or ").AWSMobileClient", accessGroup: nil), accessGroup=No access group specified
[KeychainStore] Started retrieving String from the store with key=federationProvider
[KeychainStore] Started retrieving Data from the store with key=federationProvider
[KeychainStore] No Keychain item found for key=federationProvider
[KeychainStore] Starting to remove all items from keychain
[KeychainStore] Successfully removed all items from keychain

Not sure but it seems all the keychain operations using the service = my 2 bundle ids are failing and only the generic one finds stuff.

Of course, if that's the case, app B puts different data there and kills the login for app A.

I don't need any Keychain Sharing, these are individual apps that I just need to stay logged in and I need to be able to install all of them if needed (there are way more than app A or app B, with different bundles of course.).
It's a sort of 'template' code, with just one target and various schemes + build scripts per client.

How can I be sure that one app doesn't overwrite the authConfig from the other app ? To be honest, I expected this to be done automatically.

LATER EDIT: I found one way this works and only one way: In the entitlements file for each app, if I put by hand the bundle id (no team, no nothing, just the bundle id) for the Keychain Access Group, it works perfectly. Each app has the same bundle.
If I add the Team ID in front, as it's recommended, so, TEAMID.BUNDLEID -> doesn't work (team id is the same for App A and App B). I tried with AccessGroup from the doc, it's completely useless, doesn't do anything.
I even tried with the "KeyChain": "service": .... in the AuthCategoryConfiguration json, doesn't do anything.

It doesn't even work without keychain sharing, removing the entitlements value and using/or not the AccessGroup.none.

So I'm out of ideas, wasted 2 full days on this. Why does it work with the bundle id in the entitlement ?

Steps To Reproduce

Kinda hard, you need 2 apps.  Let me know if my description was enough or if you need more info.

Expected behavior

Each app should save it's own authConfig and not interfere with one another.

Amplify Framework Version

2.51.1

Amplify Categories

Auth

Dependency manager

Swift PM

Swift version

5.x

CLI version

12.14.0 - not using it anyway

Xcode version

26.0.1

Platforms

iOS

OS Version

26.0.1

Device

any iPhone/sim

Specific to simulators

no

[tylerjroach]

@dcristolovean Is this the issue you are running into? #4076

Just released 2.51.3 a few minutes ago that contains the fix. Please update to this version and let us know if it resolves the issue for you.

[dcristolovean]

Unfortunately it still doesn't work. Here are all the tests I've done: . (these tests are done on a 100% clean simulator with fresh app installs for each step).

1. Removed Keychain Access Groups from both apps entitlements file.
   Not using any AccessGroup, just the standard Auth init, no "Keychain": "service" : .. fields in the json. So basically, that should just be an absolute standard configuration, no Keychain sharing, no nothing

It does NOT work. As soon as you login in App B, App A is logged out

This is the most basic use case and it should work out of the box.

2. Add "AppA" and "AppB" in the entitlements files for each app. No other changes in code. IT WORKS.

3. Other ridiculous combinations in the entitlement files:

• TEAM.AppA + TEAM.AppB - > works
• TEAM.BUNDLE ID A + TEAM.BUNDLE ID B -> doesn't work

I'm in the process of testing various things for 3) to find something that's actually reliable and uses TEAMID.XXX as is Apple's recommendation.

Why does Amplify really need this key in the entitlements and can't work without it if no keychain sharing is needed ? Also, why is it so fragile based on what values are in there ? What's the thing that 'kills' it ? The "." ? I don't know, still playing with it .

Btw, this is in 2.51.3

PS: One more thing, to be 100% clear, maybe this impacts the entire thing: My code has just one target. Is uses multiple schemes that first time run scripts that set various things per app and only then the build process starts. Of course, bundle ids are different, different apps, but there's just one target in the project, if that impacts this in any way.
I really don't need keychain sharing, don't want to have to set anything in the entitlement files, how can I make this work with my setup ?

[tylerjroach]

I've got a few questions. Are you still using the AWS iOS SDK in addition to Amplify Swift? These 2 libraries are not compatible with one another and could result in the cleared keychain scenario.

If you are strictly using Amplify 2.51.3, lets go through a few things..

The guide to using a shared keychain is here: https://docs.amplify.aws/swift/build-a-backend/auth/advanced-workflows/#migrating-to-a-shared-keychain, so we will use this as a reference. Below is an example of sharing a keychain across apps with a custom accessGroup.

let accessGroup = AccessGroup(name: "\(teamID)com.example.sharedItems")
let secureStoragePreferences = AWSCognitoSecureStoragePreferences(
  accessGroup: accessGroup)
try Amplify.add(
  plugin: AWSCognitoAuthPlugin(
    secureStoragePreferences: secureStoragePreferences))

1. If your apps have different bundle id and you have not added a custom AWSCognitoSecureStoragePreferences to the AWSCognitoAuthPlugin configuration, apps should not be able to access each other's keychain.

• Because of this, apps should not be able to sign each other out. Would you happen to have an AppGroup configured where UserDefaults would be shared between the applications?
• This would be the only scenario I could think of that could cause a conflict here.

2. The bug fix in 2.51.3 made a change where if an accessGroup is provided to AWSCognitoSecureStoragePreferences, we will no longer clear keychains on suspected first launches. This should be able to help you in your use case, even though you don't need to "share" the keychain.

• If you set a unique accessGroup for each unique app, 2.51.3 will no longer try to clear the keychain under any circumstances. Like the example above, instead of let accessGroup = AccessGroup(name: "\(teamID)com.example.sharedItems"), do something like, let accessGroup = AccessGroup(name: "\(teamID)com.example.sharedItems.\(uniqueAppVariable")

---

It appears that you are reporting issues that don't match up with the 2 above statements. If you are not using AWS iOS SDK, and the above descriptions don't clear anything up, please provide updated code snippets to show exactly how you are configuring Amplify, in addition to how bundle any any other relevant info is being set in your entitlements.

[dcristolovean]

Thanks for the response. And no, I am not using the AWS iOS SDK. I only have Amplify-Swift via SPM in the app. So using Gen 1 v2 docs.

I'm gonna do one more test with this 2.51.3 and the AccessGroup documentation provided (which I tried before unsuccessfully). I also do not have any AppGroups set up for these apps.
One thing here, since this is for a shared keychain, beside the code stuff with AccessGroup, what EXACT value do I need to put in my entitlement files ?

Documentation says:

"
In Xcode, go to Project Settings → Your Target → Signing & Capabilities
Select +Capability
Add Keychain Sharing capability
Add a keychain group <- WHAT VALUE EXACTLY ?
Repeat for all apps for which you want to share auth state, adding the same keychain group for all of them
"

If it's gonna work with keychain sharing that actually separates the apps in the keychain, I don't mind having keychain sharing, even if I don't care about it. I will let you know if it works, but please let me know what to set in the keychain group value.

2. What I would really like is for this to work without any keychain share, groups or anything, since I don't need it. So, no Keychain sharing capability, no group, no AccessGroup code in my init.

The way I init my Amplify is like this:

var authJson: [String: JSONValue] = [ ......manually created dictionary with dynamic values ....] (based on the docs from "Use existing AWS resources"
let authConfiguration = AuthCategoryConfiguration(plugins: authJson)

... (same for REST API, GRAPH QL, S3)

let apiPlugin = AWSAPIPlugin()
try Amplify.add(plugin: AWSCognitoAuthPlugin())
try Amplify.add(plugin: apiPlugin)
try Amplify.add(plugin: AWSS3StoragePlugin())

let config = AmplifyConfiguration(api: apiConfiguration, auth: authConfiguration, storage: storageConfiguration)

try Amplify.configure(config)

let session = try await Amplify.Auth.fetchAuthSession()

-> session.isSignedIn = false.

So pretty (manual) basic init, right ? And with just that and 2 different apps, as soon as I log in the 2nd app and I restart the 1st app, isSignedIn = false.