"Passwords not saved"

I'm building a small application which logs in to a remote server over an HTTP-based API. Authentication is via a username and password in an HTTP PUT. Nice and simple. I want to offer users the ability to save credentials, and I want the saved credentials to show up in Keychain Access, ideally just like credentials saved in Safari. My question is about how to recognize when the user has made the decision not to save credentials for a site.


When Safari prompts you to make a credential saving decision and you tell it "Never for This Website", it appears to save a Keychain item with the username "Passwords not saved". The item's name is in the form "<server> (Passwords not saved)". It looks to me like any other saved credential. Is there something special I've missed about these items, or is the username "Passwords not saved" just recognized and handled in a special way?

Accepted Reply

Thanks for all the background info. You wrote:

For now, I'm trying to understand the right way to flag that the user doesn't want credentials saved for a given server.

I think the droid you’re looking for is

kSecAttrIsNegative
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Presumably, based on you mentioning Keychain Access, you’re targeting the Mac here.

How are you running your HTTP request?

NSURLSession
?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Sorry, I should have included that.


Yes, targeting macOS, arbitrarily new (no existing users; I'm on 10.15.4). I'm trying to use Swift, though if some option which would help isn't available, I'm fine with Obj-C. Currently using URLSession, though I'm open to switching if something else would be better. The remote API is based entirely around HTTP PUT requests.


iPadOS compatibility might be an eventual goal, but that's waaaay off past the horizon. For now, I'm trying to understand the right way to flag that the user doesn't want credentials saved for a given server. Safari's behavior seems like a good place to start, and I started by asking here because I'm not sure if it's a weird thing Safari does, or if it's using some flag on the keychain items of which I am unaware.


If this code ever winds up being used for real, the server it talks to uses Active Directory accounts for authentication. In organizations (like mine) which have ignored the last 30+ years of security research showing regular password changes hurt security, the users may need to update the saved password frequently. The same credentials would also be used to log in to a lot of internal web applications, file servers, and so on, so making it visible in Keychain Access is the cleanest way I could think of to let the user update all instances of the password at once.

Thanks for all the background info. You wrote:

For now, I'm trying to understand the right way to flag that the user doesn't want credentials saved for a given server.

I think the droid you’re looking for is

kSecAttrIsNegative
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you! That is exactly what I needed. I was focused on the password attributes.