This repository has been archived by the owner on Sep 7, 2023. It is now read-only.
Share macOS Keychain items without prompts/create ACLs #125
Labels
enhancement
New feature or request
Comments
bgavrilMS
added
bug
bgavrilMS
changed the title
bgavrilMS
added
enhancement
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
By default when an application creates a macOS Keychain item the access control list contains the calling application's identity. This prevents those allow/deny/always allow security prompts when the same application accesses the item.
If an application that is not present in the ACL attempts to read/write the entry the security prompt is shown. Clicking "Deny" obviously declines the access request, and clicking "Allow" permits the operation just-this-time. Clicking "Always Allow" adds a new ACL for the calling application to the item, preventing future prompts.
Given one of the reasons to use this library is to facilitate sharing of a token cache between applications, it would be nice if there was a utility method on the
MsalCacheHelperto forcibly add/ensure the calling application is present on the item's ACL.The benefit here would be that users are only prompted once and that the option to just "Allow [once]" is not presented.
If there are other ways to avoid this prompt, such as Keychain groups/sharing based on the codesigning team identifier, then that would be even better, but there should be documentation about how to correctly use the library and set up such sharing.
Note that I'm not sure that Keychain groups/sharing is supported on non-iOS/iCloud keychains? There isn't a great deal of documentation from Apple here.
The text was updated successfully, but these errors were encountered: