This weekend I have been experimenting with an API that requires OAuth 2.0 authentication. Thanks to the example provided by @simonbs I finally got that to work after a lot of struggle (turned out the service does not accept scriptable:// in a redirect URL; I’m so thankful that Simon added https://open.scriptable.app as an alternative!).
However, it now works on a single device only and I want to use this in a widget that I run on both my iPhone and my iPad. The access token is valid for a couple of hours and then needs to be refreshed. How can I securely share (updated) access/refresh tokens between devices?
(I have asked about storing on a single device before and and was hoping to use the Keychain, but there seems to be an issue with that? Or maybe the Keychain isn’t even shared? Documentation does not mention it. Anyhow, I currently can’t read a value that is written on another device)
I once made the CryptoKit shortcut and published it on reddit. From that I know that there are a few crypto libraries for Javascript. You can use one to encrypt the tokens, save it to a file in iCloud and then read that file and decrypt the token again. You can store the password/hash used for encryption/decryption in your keychain once on every device in the setup process and everything should be fine. Storing the password/hash hardcoded in the script is not ideal because then you could simply save the token in plain text in iCloud.
That seems plausible. Actually, now that I think about that, it is probably the normal scenario for multiple clients, because how should they share the secrets? You have to log in with every client and therefore everyone of them has their own tokens.