Keychain error with Firebase Authentication when updating to 11.1.0

[juanjovn]

Description

I'm having this new error on my project when updated to Firebase 11

An error occurred when accessing the keychain. The NSLocalizedFailureReasonErrorKey field in the NSError.userInfo dictionary will contain more information about the error encountered

It appears when doing:

Auth.auth().updateCurrentUser(unsharedUser, completion: { error in
...

Downgraded to 10.29.0 and works like expected.

Reproducing the issue

Use Auth.auth().updateCurrentUser in a shared keychain group.

Firebase SDK Version

11.1.0

Xcode Version

15.4

Installation Method

Swift Package Manager

Firebase Product(s)

Authentication

Targeted Platforms

iOS

Relevant Log Output

No response

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet

Replace this line with the contents of your Package.resolved.

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet

Replace this line with the contents of your Podfile.lock!

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[morganchen12]

Can you obtain the detailed reason in the user info dictionary via NSLocalizedFailureReasonErrorKey?

[ncooke3]

This can be obtained via

Auth.auth().updateCurrentUser(unsharedUser, completion: { error in
  // ...
  print((error as NSError).userInfo)
}

Assuming I'm seeing the same error, I'm seeing a -34018 (missing entitlement) to be the reason for the underlying keychain failure. I'm still looking into why this is being thrown on v11 and not v10.

[ncooke3]

Hi @juanjovn, could you please provide the output after debugging with the above code snippet? Could you also confirm if you're testing on simulator, real device, or both?

[juanjovn]

Hey @ncooke3, it happens on both simulator and real iPhone.

This what I get from the userInfo print:

["NSLocalizedFailureReason": "SecItemAdd (-25299)", "NSLocalizedDescription": "An error occurred when accessing the keychain. The NSLocalizedFailureReasonErrorKey field in the NSError.userInfo dictionary will contain more information about the error encountered", "FIRAuthErrorUserInfoNameKey": "ERROR_KEYCHAIN_ERROR"]

I also get one kind of similar error when signing in:

let credential = OAuthProvider.credential(providerID: .apple, idToken: appleIdTokenString, rawNonce: nonce)
let result = try await Auth.auth().signIn(with: credential)

Error thrown:

["FIRAuthErrorUserInfoNameKey": "ERROR_KEYCHAIN_ERROR", "NSLocalizedFailureReason": "SecItemAdd (-25299)", "NSLocalizedDescription": "An error occurred when accessing the keychain. The NSLocalizedFailureReasonErrorKey field in the NSError.userInfo dictionary will contain more information about the error encountered"]

I have set the Keychain Access Groups entitlement in my Xcode project and it works on Firebase 10.29.0.

[ncooke3]

Thanks, @juanjovn. That error code is for a duplicate item (https://www.osstatus.com/search/results?platform=all&framework=all&search=-25299)

I'm still investigating how this is happening. I have not been able to reproduce the error. If you could provide steps to reproduce, that may help me reproduce the behavior you are observing.

[juanjovn]

Hi, this is my code to reproduce it:

func setAuthenticationState() {
  if let unsharedUser = Auth.auth().currentUser {
      Auth.auth().shareAuthStateAcrossDevices = true
      do {
        try Auth.auth().useUserAccessGroup("TEAMID.com.MY.BUNDLE")
      } catch {
        Logger.log(message: "Error using access group:\(error.localizedDescription)", event: .error)
      }
      
      guard let _ = Auth.auth().currentUser else {
        Logger.log(message: "Shared user is nil", event: .error)
        return
      }
      
      Auth.auth().updateCurrentUser(unsharedUser, completion: { error in
        if let error {
          Logger.log(message: "Error updating current user with unshared user: \(error.localizedDescription)", event: .error)
        }
      })
      
      Logger.log(message: "🟢 Authenticated set to TRUE", event: .debug)
      isAuthenticated = true
  } else {
      Logger.log(message: "🔴 There is no current unshared user. Authenticated set to FALSE", event: .debug)
      isAuthenticated = false
  }
}

The error occurs when calling Auth.auth().updateCurrentUser

[ncooke3]

Thanks @juanjovn for the sample code! I have a fix (#13642) staged for the next release 11.3 that should resolve this issue. If you'd like to test it out yourself, I have a branch (https://github.com/firebase/firebase-ios-sdk/tree/fix-13584) that SwiftPM can point to.

The issue was that Firebase 11 missed a keychain key that was needed to read back Firebase 10 keychain entries that were made with the missing key. This only became an issue when Auth was configured with a keychain access group and shareAuthStateAcrossDevices == true. This is the "existing user case" that will be fixed by #13642.

There is another case I'm still investigating where a user (again with auth configured with a keychain access group and shareAuthStateAcrossDevices == true) is stored on 11.0, 11.1, or 11.2 and missing that key. In this case, such entries will not be read properly when 11.3 adds back the missing key (basically, the same problem you reported but from the upgrade path 11.0/ 11.1/11.2 -> 11.3 (fixed) rather than from 10.x -> 11.0/ 11.1/11.2). I'll leave this issue open until I have a fix for this case also staged in 11.3.

[RaffiRincon]

Thanks @juanjovn for the sample code! I have a fix (#13642) staged for the next release 11.3 that should resolve this issue. If you'd like to test it out yourself, I have a branch (https://github.com/firebase/firebase-ios-sdk/tree/fix-13584) that SwiftPM can point to.

The issue was that Firebase 11 missed a keychain key that was needed to read back Firebase 10 keychain entries that were made with the missing key. This only became an issue when Auth was configured with a keychain access group and shareAuthStateAcrossDevices == true. This is the "existing user case" that will be fixed by #13642.

There is another case I'm still investigating where a user (again with auth configured with a keychain access group and shareAuthStateAcrossDevices == true) is stored on 11.0, 11.1, or 11.2 and missing that key. In this case, such entries will not be read properly when 11.3 adds back the missing key (basically, the same problem you reported but from the upgrade path 11.0/ 11.1/11.2 -> 11.3 (fixed) rather than from 10.x -> 11.0/ 11.1/11.2). I'll leave this issue open until I have a fix for this case also staged in 11.3.

I'm currently unable to log in because of this issue. I tried making SwiftPM use the url for the branch with the fix, but that isn't working, so I'm going to just clone the repo at that branch and add it locally. Any ETA for this being merged to prod?

[RaffiRincon]

When I cloned it and then tried to add it locally, I got this error:

[ncooke3]

11.3 is now released and should resolve this issue. Please let us know in a new issue if you run into trouble.