firebase-ios-sdk: Share auth state between app and app extension on iOS sometimes fails

Step 1: Describe your environment

• Xcode version: XCode 12.4
• Firebase SDK version: 8.4.0
• Installation method: Swift Package Manager
• Firebase Component: Auth

Step 2: Describe the problem

We are using Firebase Auth on an iOS app that uses an App Extension. I followed the documentation here https://firebase.google.com/docs/auth/ios/single-sign-on#share_auth_state_between_apps

The documentation states:

You can use either a keychain access group or an app group.

Since I’m already using app group for other things (subscription status for example) I decide to go with app groups.

Everything works fine, we can retrieve the user on the extension. I did not activate the entitlemente for Keychain Sharing, only for app group.

But I’m seeing so far for 2 users that we get this error:

Fatal error: Error changing user access group An error occurred when accessing the keychain. The NSLocalizedFailureReasonErrorKey field in the NSError.userInfo dictionary will contain more information about the error encountered

On:

• iPhone XR iOS 14.6
• iPhone 12 Pro iOS 14.1

The rest of the devices are working normally

Steps to reproduce:

What happened? How can we make the problem occur?

When the app starts, we run this code at the beginning, at this point the extension is not running yet:

if FirebaseApp.app() == nil {
    FirebaseApp.configure()
}
do {
    try Auth.auth().useUserAccessGroup(appGroup)
} catch {
    let message = "Error changing user access group \(error.localizedDescription)"
    fatalError(message)
}

The variable appGroup contains a String on the form group.APP-BUNDLE-ID as this is recommeded by Apple for iOS apps. Source https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_application-groups

For iOS, format the identifier as follows:

group.<group name>

App groups also act as keychain access groups.

At this point, all is normal, we are not receiving any crash.

Later on the user sign-in in the app.

Finally the user enable the extension, at this point we run the following code:

if FirebaseApp.app() == nil {
    FirebaseApp.configure()
}
do {
    try Auth.auth().useUserAccessGroup(appGroup)
    Crashlytics.crashlytics().setUserID(Auth.auth().currentUser?.uid ?? "N/A")
} catch {
    let message = "Error changing user access group \(error.localizedDescription)"
    fatalError(message)
}

Is that this point where the fatalError triggers the error, but not always, only for this 2 users.

I’m throwing a fatalError because I need the user to be authenticated and I need to share the auth data. I guess there is nothing wrong with that.

With all this information, I’ve got a couple of questions:

• is this a bug? The docs say to use keychain or app group. Do we need both, only one is fine or only keychain sharing?

From Apple docs I get the when using app groups, we are also using keychain sharing, so we shouldn’t need keychain sharing also https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps

Starting in iOS 8, when an app belongs to an app group, it can also use this mechanism to share keychain items.

using an app group enables additional data sharing beyond keychain items. You might want this extra sharing, or might already be using an app group for this purpose, and thus not need to add keychain access groups.

Like I said, I can’t reproduce this every time, I have never been able to reproduce it myself. Anything that I can help you, let me know. I can only see on crashlytics that the fatalError is happening on the app extension for 2 user, which I don’t know if they are able to recover or not. (Not sure how I could know)