App is logged out after period of inactivity / overnight on iOS 15

[ewalkerbnr]

Hi we have users reporting logouts on our app after upgrading to iOS 15. After periods of inactivity or overnight they are presented with the login screen. It looks like sometimes there are issues loading the StateManager from the keychain. looking through the device logs we see:

The size of the blob is around 14,000 bytes.

Any help would be greatly appreciated.

Thanks
Eric

[mikenachbaur-okta]

I'll take a look; @oleggnidets-okta can you also take a look at this when you have a chance? These timeout / overnight bugs can be difficult to track down / debug, so having an extra pair of eyes on the problem can help.

[oleggnidets-okta]

This is strange behavior. So first what comes to my mind it may relate to system issue.
I see the threads on Apple Developer Forum #685685, #691353.

[ewalkerbnr]

Thanks for looking into this.

[ewalkerbnr]

Hi

For this code in OktaOidcKeychain:
var q = [
kSecClass as String: kSecClassGenericPassword as String,
kSecValueData as String: data,
kSecAttrAccount as String: key,
kSecAttrAccessible as String: accessibility ?? kSecAttrAccessibleWhenUnlockedThisDeviceOnly
] as [String: Any]

Wondering what the result would be if we were to use kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly instead of
kSecAttrAccessibleWhenUnlockedThisDeviceOnly

[mikenachbaur-okta]

@ewalkerbnr I'm curious, does your app utilize push notifications, custom push notification app extensions, or background app updates?

If your app is being launched in the background while the device is locked, and you aren't specifying a custom accessibility attribute when initializing your OktaOidcStateManager instance, this could be a cause for this issue.

[ewalkerbnr]

Our app does utilize push notifications, notification extensions and has a watch kit companion app.

[mikenachbaur-okta]

Keychain access accessibility is a contentious topic, from a security perspective. From a security-first posture, the "WhenUnlocked" is the most secure, which is a sensible default when there are unknowns about the environment an app is running within.

Given that your app response to push notifications, it might make sense to define a custom AfterFirstUnlock accessibility setting so it can properly respond to background push notifications.

That being said, it's surprising to me that you're receiving logouts when account credentials are being accessed while in the background. I would expect that attempts to access the keychain entries while locked would result in a nil state manager being returned, as opposed to logging the user out on failure.

Are you able to determine whether or not changing the accessibility mode influences this behaviour?

[ewalkerbnr]

I'm going to try it out and do some testing. I'll update with my findings. thx

[ewalkerbnr]

I don't see an easy way to specify the custom value. it's defaulting to kSecAttrAccessibleWhenUnlockedThisDeviceOnly

func signInWithBrowserTask(_ task: OktaOidcBrowserTask,
                              callback: @escaping ((OktaOidcStateManager?, Error?) -> Void)) {
       currentUserSessionTask = task

       task.signIn(delegate: configuration.requestCustomizationDelegate) { [weak self] authState, error in
           defer { self?.currentUserSessionTask = nil }
           guard let authState = authState else {
               callback(nil, error)
               return
           }
           
           let authStateManager = OktaOidcStateManager(authState: authState)
           if let delegate = self?.configuration.requestCustomizationDelegate {
               authStateManager.requestCustomizationDelegate = delegate
           }
           callback(authStateManager, nil)
       }
   }

[ewalkerbnr]

@mikenachbaur-okta Hi would we be able to get the kSecAttrAccessible attribute default changed to kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly instead of kSecAttrAccessibleWhenUnlockedThisDeviceOnly? Or can I open a PR so we could test the change?

[mikenachbaur-okta]

@ewalkerbnr The OktaOidcStateManager.accessibility property , as well as the constructor permits the assignment of a custom accessibility flag. The default is kSecAttrAccessibleWhenUnlockedThisDeviceOnly, but you can try supplying a different value, and can use that to evaluate if that addresses your problem.

[ewalkerbnr]

The signInWithBrowserTask function is in the Okta OIDC framework. is there another place where I can hook in?

[oleggnidets-okta]

Hi @ewalkerbnr

When you authenticate a user with signInWithBrowser you get OktaOidcStateManager instance.
You can set accessibility property and then save it to storage. Consider this code:

oktaOidc.signInWithBrowser(from: self) { stateManager, error in
  stateManager.accessibility = kSecAttrAccessibleWhenUnlockedThisDeviceOnly
  stateManager.writeToSecureStorage()
}

Could you verify it?

[oleggnidets-okta]

As no response provided I believe the issue can be closed.
@ewalkerbnr Feel free to re-open if needed.

Thank you for using Okta!