feat: Add 'credential handling' section to Swift Under the hood (aws-amplify#4794)

palpatim · web-flow · commit 56138f0ba078 · 2022-11-10T14:05:39.000-08:00
diff --git a/src/fragments/lib/auth/common/overview.mdx b/src/fragments/lib/auth/common/overview.mdx
@@ -28,3 +28,7 @@ Many apps also support login with social providers such as Facebook, Google Sign
 ## Accessing AWS services
 
 Some apps need to use AWS services which require [signing requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html). Examples of this would be storing images or videos on S3, or sending analytics to Pinpoint or Kinesis. Amplify automatically signs requests with short term credentials from a Cognito Identity Pool which automatically expire, rotate, and refresh by the Amplify client libraries.
+
+import ios0 from "/src/fragments/lib/auth/ios/credential_handling/10_credential_handling.mdx";
+
+<Fragments fragments={{ios: ios0}} />
diff --git a/src/fragments/lib/auth/ios/credential_handling/10_credential_handling.mdx b/src/fragments/lib/auth/ios/credential_handling/10_credential_handling.mdx
@@ -0,0 +1,5 @@
+## Credential handling
+
+Amplify Swift library securely handles credentials and user identity information. You do not need to store, refresh, or delete credentials yourself. Instead, Amplify Swift library handles these operations using platform capabilities such as [`ASWebAuthenticationSession`](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession) for web-based OAuth flows, and [Keychain Services](https://developer.apple.com/documentation/security/keychain_services/) for storing and retrieving sensitive information. Only the host app (or defined app group) can access values that Amplify Swift library stores, and Amplify Swift library also clears credentials if it detects a configuration change such as a new Cognito UserPool or Cognito Identity Pool.
+
+You can retrieve stored credentials by invoking [`fetchAuthSession` API](https://docs.amplify.aws/lib/auth/access_credentials/q/platform/ios/), which is the same API that other Amplify Swift library categories use to retrieve credentials for making calls to backend services like AWS AppSync, Amazon Pinpoint, and Amazon Simple Storage Service (Amazon S3). That API validates stored credentials and returns them if valid. If the credentials are not valid, Amplify Swift library will use the stored refresh token to refresh the credentials and return them. If the refresh token is not valid, Amplify Swift library will return a session expired error.
