Skip to content
This repository was archived by the owner on Feb 5, 2025. It is now read-only.

SIWA: Apple credential can't be revoked when account has 2FA #499

Closed
rachelmcr opened this issue Oct 9, 2020 · 3 comments
Closed

SIWA: Apple credential can't be revoked when account has 2FA #499

rachelmcr opened this issue Oct 9, 2020 · 3 comments
Labels
bug Something isn't working SIWA Sign In With Apple

Comments

@rachelmcr
Copy link
Contributor

In #138 we added support to listen to Apple's credentialRevokedNotification, so it could be handled in the client app. However, this only works for accounts without 2FA.

For accounts with 2FA, the Apple ID isn't written to the Keychain. (As observed by the app log checkAppleIDCredentialState: No Apple ID found. after logging in with SIWA and 2FA.) Revoking the Apple ID access for WordPress then doesn't have an effect.

To reproduce:

  1. Start with a WordPress.com account with 2FA that is connected to Apple.
  2. Log in to a client app (WordPress or WooCommerce) with SIWA.
  3. Go to Settings app > Apple ID > Password & Security > Apps using Apple ID and revoke access for WordPress.
  4. Open the client app again. Notice you are not logged out.

I reproduced this issue with both the WordPress and WooCommerce apps, and confirmed that it works as expected without 2FA but the issue appears when 2FA is enabled on the WordPress.com account.

h/t @jaclync for the troubleshooting help that identified 2FA as the source of the issue!
@rachelmcr rachelmcr added bug Something isn't working SIWA Sign In With Apple labels Oct 9, 2020
@jaclync
Copy link
Contributor

jaclync commented Oct 12, 2020

Great finding! From my testing (WCiOS & WPiOS), I was able to reproduce this issue with 2FA enabled and with one extra step between step 1 and 2 - close the client app.

If I left the app open, the app was logged out as expected; but if I closed the app and then launched it after revoking WordPress from Apple ID, the app didn't get logged out.

@jaclync
Copy link
Contributor

jaclync commented Oct 13, 2020
edited
Loading

From my testing, the Apple ID is removed from Keychain when I come back to the app from copying one-time password (OTP) from another app (1Password for example).

Because we check Apple ID credential state on each UIApplication.didBecomeActiveNotification, this is triggered after I leave the app to get OTP and then come back. However, at this point the app is still on the OTP screen and is not considered "logged in" and thus it removes the Apple ID from Keychain (code in WCiOS).

The issue is that Apple ID is saved to Keychain too early (right after SIWA) when the app might not be fully logged in yet. I plan to fix this in WCiOS by saving the Apple ID to Keychain when authentication completes (authenticator's delegate sync(credentials:onCompletion:) (WCiOS issue).

This was referenced Oct 13, 2020
Closed
Merged
@mokagio
Copy link
Contributor

mokagio commented Feb 5, 2025

As of 2025/02/06 this repo is a public archive and no longer under development.

If you think this issue is still relevant for one or both of the former clients, please open an issue in WordPress/Jetpack iOS and WooCommerce iOS

Thanks!

@mokagio mokagio closed this as completed Feb 5, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working SIWA Sign In With Apple
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mokagio @jaclync @rachelmcr