问题:

I am working on an iOS app which will handle user login for other apps. When a login is successful the user will be redirected to user's selected app (if installed) with iOS deep linking using URL schemes. Upon redirect I would like to pass a user access token to the opening app. The receiving app should somehow be entitled to read the token. It is not an option to pass it in the url because of the following (from Apple docs https://developer.apple.com/library/content/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html):

"If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme."

Which means an arbitrary app may open and thus receive the user access token. I could encrypt the token and the receiving app would decrypt it with a shared key, but am not sure if that is considered a safe way.

I really like the idea of sharing the user access token via Keychain Sharing (keychain group) as described here: http://evgenii.com/blog/sharing-keychain-in-ios/, but that seems to work only when the apps are developed using the same team (using same App ID prefix), but in my case there may be apps which will be implemented by other developers. So it looks like this would not work.

EDIT: Just to confirm, sharing keychain items is only allowed in apps developed by a single development team (https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html):

... you share keychain items using Access Groups. This kind of sharing does not require interaction with, or permission from the user, but limits sharing to apps that are delivered by a single development team.

Could anyone suggest some ideas how I could pass a user access token to another app(s) safely? Safely meaning that only apps that are entitled to receive the information will receive it.