I am following this guide to build an HTTP signon process allowing users of a research site to grant our site to access their containers.
It goes like this. I try to access their data. If the request fails I redirect their browser to the Url returned with the error. The Cloudkit dashboard has been configured so as to redirect them back to a landing page on my site where I can gather the token. This works but there are two problems. First, if many users will be signing on at the same time, how will I know which session is redirecting back to me after signon? Second, how do I thwart people who would attack my by hitting my after signon landing page? In OAuth 2, I can send a passthru parameter called "state" with the original signon redirection and that "state" is the tacked on to the redirection back. This allows the signon landing page to reject any requests that weren't sent by the site and it also helps us link the token to the session.
I might be able to workaround this with the Javascript toolkit but see Javascript as a security problem waiting to happen as the API token is needed by the page.
Any thoughts? Right now, we are in research mode but this problem will need to be solved if we are to include iCloud Drive in our solution.
For kicks, I tried tacking a state parameter on to the redirection but that resulted in idmsa.apple.com/IDMSWeb/Auth returning an error.