Firebase’s Remote Config in context of an Authorization Plugin

I am trying to use Firebase’s Remote Config in the context of an Authorization Plugin. I’m doing this in order to implement feature flag support in our Auth Plugin. When I try to fetch remote Firebase settings, I get a -34018 indicating that there is an error with access to the keychain on the Mac.

Based on https://forums.developer.apple.com/forums/thread/114456, I have an entitlement problem. It’s my impression that it is not possible to grant entitlements to an Authorization Plugin, so I’m wondering if this kind of keychain access that Firebase requires is simply not possible. Or, if perhaps there is something I can do with entitlements to get this to work?

Working with macOS 13.6.2, XCode 15.1

Answered by DTS Engineer in 776518022

It’s my impression that it is not possible to grant entitlements to an Authorization Plugin

Correct. Your plug-in is hosted within a system process and it’s the entitlements associated with that process that hold sway.

so I’m wondering if this kind of keychain access that Firebase requires is simply not possible.

Right.

It’s not uncommon to encounter problems like this when building an authorisation plug-in. Standard practice is to move the problematic code to a launchd daemon, and then have your authorisation plug-in use XPC to request that the daemon perform some operation on its behalf. However, this won’t work for the data protection keychain because the data protection keychain is not available outside of the standard GUI login context. That fact is documented in TN3137 On Mac keychain APIs and implementations.

My advice is that your work with this library’s vendor to see if you can configure (or adapt) it to work in a daemon context.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

This is not a Google forum. Please post your question on the respective Google Firebase forum or Github repo.

Accepted Answer

It’s my impression that it is not possible to grant entitlements to an Authorization Plugin

Correct. Your plug-in is hosted within a system process and it’s the entitlements associated with that process that hold sway.

so I’m wondering if this kind of keychain access that Firebase requires is simply not possible.

Right.

It’s not uncommon to encounter problems like this when building an authorisation plug-in. Standard practice is to move the problematic code to a launchd daemon, and then have your authorisation plug-in use XPC to request that the daemon perform some operation on its behalf. However, this won’t work for the data protection keychain because the data protection keychain is not available outside of the standard GUI login context. That fact is documented in TN3137 On Mac keychain APIs and implementations.

My advice is that your work with this library’s vendor to see if you can configure (or adapt) it to work in a daemon context.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It's quite a relevant question as evidenced from the valuable reply from Apple below.

Firebase’s Remote Config in context of an Authorization Plugin
 
 
Q