Can't log in to Google account via iCloud Keychain Account sharing

Originator:zach
Number:rdar://27539823 Date Originated:26-Jul-2016 01:17 AM
Status:Closed Resolved:true
Product:macOS Product Version:10.12 Beta (16A254g)
Classification:Other Bug Reproducible:Always
 
Summary:
iCloud Keychain shares Accounts from other machines, including the modern Google OAuth flow, re-authenticating as necessary. In Sierra DP3, this re-auth process cannot be completed.

Steps to Reproduce:
1. Log in to my Mac running Sierra
2. Wait for iCloud Keychain "Turn on '<#google account#>' prompt.
3. Hit "Turn On" button
4. Log into Google through the modal in the new SysPrefs window.

Expected Results:
The OAuth process ends and my account is activated on this machine.

Actual Results:
After entering my 2FA credentials, the web view is disappears and account re-auth does not complete.

Version:
macOS Sierra 10.12 Beta (16A254g)

Notes:
Could not figure out a workaround.

Configuration:
Does not occur on 10.11 (so it doesn't appear to be a token problem), and the sync still works on other Macs (so it doesn't appear to be an iCloud Keychain problem).

Attachments:

Comments

Great, thanks. This fixes the issue. Marking as resolved.

Reducing the security of the escrow service seems sub-optimal. Will I be able to reset these defaults in the GM seed? This issue has been verified as resolved and can be closed.

By zach at Sept. 13, 2016, 2:30 a.m. (reply...)

Engineering has provided the following feedback regarding this issue:

The Issue can be resolved by issuing the following commands in Terminal.app (/Applications/Utilities/Terminal.app):

defaults write com.apple.Security AppleServerAuthenticationAllowUATEscrow -bool YES defaults write com.apple.Security AppleServerAuthenticationNoPinningEscrow -bool YES

By zach at Sept. 13, 2016, 2:30 a.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!