0

I created an iCloud user webuser@somedomain.com then I shared specific records with that user.

What I want to do is have a web site use that user to access only the shared records it can access but without having him authenticate through iCloud with Apple. The reason why is that I want to control what the web site can do and what it can access without asking a user to login/sign up with Apple iCloud and I don't want each users visiting the web site have to logon to Apple ID. I though this might be possible with cloudkit js using web services but it seem that the server to server key only gets access to the public database.

I'm not too fluent in JS and I'm trying to get the web developer to access my records.

The subject does not seem to be very popular and not much information exist out there. Please don't just say "NO IT'S NOT POSSIBLE". Give me a bit of info.

rmaddy
  • 314,917
  • 42
  • 532
  • 579
Patrick Miron
  • 221
  • 3
  • 12

1 Answers1

2

You are correct that getting CloudKit data via the server-to-server key or a JS API token can only get you access to the public database. User authentication is required for getting anything in a private or shared database.

This is sensible because your application wouldn't know which private database to query if it didn't have a CloudKit user as a reference. It would also be less secure if an anonymous user (even if it's your application) could query private user data.

As a workaround, you could have the iOS/macOS app push certain parts of the users' data that you want available on the web into your public database. You could make a record type in your public database of something like Web and create fields for all the data that you need. This shared data would then be available, but everything would be available to anyone. The user would still have to identify themselves in your web app to get certain data (which could be done if you had a userId field in your Web record type).

Hopefully that makes sense. Let me know if you have follow-up questions.

Clifton Labrum
  • 13,053
  • 9
  • 65
  • 128
  • 1
    Does the authentication have to be seen by the user, or can it be done by javascript with the username and password. I think that's what's missing and I would hate to throw a 2 year project out because of something mondaine, I assumed it would be possible. – Patrick Miron Sep 08 '18 at 14:00
  • I think get what you mean for the public database access with a user field. So if I get this right, I would have to set up something of a username in java script per web page verifying which website is querying and let it access the data in the proper records I could name like "" username.recortype1 "" ect. – Patrick Miron Sep 08 '18 at 14:04
  • But wouldn't that mean that if a smart ass out there figures it out, he could read all the data without security, or would he absolutely need the server to server token. I guess that could also be an issue if someone leak that token. Hmmm...??? – Patrick Miron Sep 08 '18 at 14:06
  • 1
    You can restrict where requests can be made. In the CloudKit Dashboard, click on your container, then go to **API Access** then create a new token. You can then set which domains are allowed to make requests with that JavaScript API token: https://d.pr/i/A3GBmF – Clifton Labrum Sep 08 '18 at 17:00