Sharing keychain between app and widget extension logs out user

[dandreiolteanu]

Describe the bug

Hey guys, first of all thanks for making this happen, I am still struggling to use it as expected when having a Widget Extension.

• Amplify version I am using is 2.51.5

Basically everything works as expected when I only have the main app and specify the access group with migrateKeychainItemsOfUserSession = true, I can still use the app and session is migrated -> user is not logged out.

As soon as I setup Amplify in the Widget Extension, I get logged out of the main app, something weird is happening and didn't quite figure out what, can you please help? @harsh62

If I start fresh installing the app and act as a new user, everything is working fine, but for users which already have the app installed it's not working.

The plan is to make a release in which we support shared keychain and add the widget extension, so there will be users logged out if this doesn't work properly, therefore making it impossible at the moment to release.

Attaching the setup code for the main app ⬇️

public func setup(application: UIApplication, launchOptions: [UIApplication.LaunchOptionsKey: Any]?, config: TiltCore.VendorConfig) {
        #if DEBUG
        Amplify.Logging.logLevel = .verbose
        #endif

        do {
            let configuration = try AmplifyConfiguration(
                configurationFile: AppConfiguration.current.amplify.configFileURL
            )
            let accessGroup = AccessGroup(
                name: AppConfiguration.current.vendor.appKeychainSharingIdentifier,
                migrateKeychainItemsOfUserSession: true
            )
            let secureStoragePrefernces = AWSCognitoSecureStoragePreferences(accessGroup: accessGroup)
            try Amplify.add(
                plugin: AWSCognitoAuthPlugin(
                    networkPreferences: AWSCognitoNetworkPreferences(maxRetryCount: 2, timeoutIntervalForRequest: 15),
                    secureStoragePreferences: secureStoragePrefernces
                )
            )
            try Amplify.add(plugin: AWSPinpointAnalyticsPlugin())
            try Amplify.add(plugin: AWSS3StoragePlugin())
            try Amplify.configure(configuration)
            Log.info("Amplify initialized successfully with Auth, Analytics, Storage")
        } catch {
            Log.error(category: .config, "Amplify init failed with \(error.localizedDescription)", error: error)
        }
    }

Attaching the setup code for the widget extension ⬇️

private func setupVendorAWS(configuration: TiltWidgetKitConfiguration) {
        #if DEBUG
        Amplify.Logging.logLevel = .verbose
        #endif

        do {
            let amplifyConfiguration = try AmplifyConfiguration(
                configurationFile: configuration.amplify.configFileURL
            )
            let accessGroup = AccessGroup(
                name: configuration.vendor.appKeychainSharingIdentifier,
                migrateKeychainItemsOfUserSession: true, false // tried both
            )
            let secureStoragePrefernces = AWSCognitoSecureStoragePreferences(accessGroup: accessGroup)
            try Amplify.add(
                plugin: AWSCognitoAuthPlugin(
                    networkPreferences: AWSCognitoNetworkPreferences(maxRetryCount: 2, timeoutIntervalForRequest: 15),
                    secureStoragePreferences: secureStoragePrefernces
                )
            )
            try Amplify.configure(amplifyConfiguration)
            Log.info(category: .widgetKit, "Amplify initialized successfully with Auth")
        } catch {
            Log.error(category: .widgetKit, "Amplify init failed with \(error.localizedDescription)", error: error)
        }
    }

• note I've tried both migrateKeychainItemsOfUserSession = true or false with clean simulators

Steps To Reproduce

Steps to reproduce the behavior:
1. Add keychain sharing support to an already existing app (for a logged in user)
2. Add widget extension and use initialize amplify from there using the same keychain sharing
3. Run the app
4. User is logged out

Expected behavior

User session should be persisted in the main app and widget extension can fetch auth session same as the main app

Amplify Framework Version

2.51.5

Amplify Categories

Auth

Dependency manager

Swift PM

Swift version

5.10

CLI version

no idea

Xcode version

26.0.1

Relevant log output

Is this a regression?

No

Regression additional context

No response

Platforms

iOS

OS Version

iOS 26.0

Device

iPhone 17 Pro

Specific to simulators

No response

Additional context

No response

[tylerjroach]

Hi @dandreiolteanu I'm testing a few different scenarios, recording the results, and will get back to you shortly.

[tylerjroach]

I believe I've been able to figure out the problem.

If you want to migrate your data from the old keychain, you need to set migrateKeychainItemsOfUserSession = true. If you don't do this on the share extension, it will not migrate AND it will delete the old keychain data. This would be the first scenario that causes a log out.

I understand you have also tried migrateKeychainItemsOfUserSession = true for bot the app and share extension. It looks like there is an issue where we determine if the migration has happened based on a user defaults value. Since the app and share extension don't share user defaults, whichever of the 2 is launched second, will clear the keychain.

We will look at preventing this internally, but I do have a workaround for you to try.

1. Add this function

func shouldMigrateAmplifyKeychain(for accessGroupName: String) -> Bool {
        let query: [String: Any] = [
            kSecClass as String: kSecClassGenericPassword,
            kSecAttrService as String: "com.amplify.awsCognitoAuthPluginShared",
            kSecAttrAccessGroup as String: accessGroupName,
            kSecMatchLimit as String: kSecMatchLimitOne
        ]
        
        let status = SecItemCopyMatching(query as CFDictionary, nil)
        return status != errSecSuccess
    }

let accessGroup = AccessGroup(
  name: accessGroupName, 
  migrateKeychainItemsOfUserSession: shouldMigrateAmplifyKeychain(for: accessGroupName)
)

This checks to see if the new keychain access group has already been migrated. If it hasn't, it will be true which you need for the initial migration. Any future checks should result in false which should prevent clearing the existing keychain data now stored in the shared keychain. Please let me know if this works for you as expected.

[dandreiolteanu]

Will try that but something similar that I've tried and didn't work was:

• main app sets migrateKeychainItemsOfUserSession true
• run the app, everything is migrated
• move on the branch where I have widget extension setup and set migrateKeychainItemsOfUserSession false (theoretically migration already happened) so it should work
• main app I am logged out (but it still used migrateKeychainItemsOfUserSession true)

also I am working with WidgetExtension and not ShareExtension, they are both sometimes initialised at the same time which could cause a race condition

I've also tried delaying the WidgetExtension AmplifyConfig based on a shared UserDefault parameter which both have access to that would indicate that the migration happened and still no luck

[tylerjroach]

also I am working with WidgetExtension and not ShareExtension, they are both sometimes initialised at the same time which could cause a race condition

I think this probably describes the problem here in the scenario you stated above.

move on the branch where I have widget extension setup and set migrateKeychainItemsOfUserSession false (theoretically migration already happened) so it should work

I tested a similar scenario.

If you launch with a keychain access group, you have 1 chance to migrate. If the first thing launched was false, it will wipe the existing credentials. If there was a condition where they were launching at the same time, the widget extension may have deleted the old keychain just before the app had migrated.

[tylerjroach]

Either way, I am labelling this as a bug for us to fix internally, and hope that the suggestion above can work at least for the short term.

[dandreiolteanu]

I have tested briefly what you proposed and it seemed to have done the job, will be testing some more tomorrow and next week. Thanks for the very quick response and workaround, looking forward to see the fix in an Amplify release.

[tylerjroach]

Awesome, thanks for the update.