How does Sunrise for iOS use iCloud credentials to access our calendar?

Question

Sunrise on iOS is calendar that, with version 2, added support for iCloud calendars. From this page, the team at Sunrise say this:

When you type in your iCloud credentials, they are sent to our server only once in a secured way over SSL. [...] We use them to generate a secure token from Apple. This secure token is the only thing we store on our servers, we never store your actual iCloud credentials.

And recently:

Since our 2.11 version, we are not sending iCloud credentials to our servers, the app generates the secure token client-side.

All of this mean that a token, generated by/for Apple, can be used to access the user's iCloud calendars from Apple's servers, on the user's behalf. There exists a few references here and there talking about the way one (a user) can find a CalDAV URL to use with calendar clients, or how one can download her calendars' content as .ics files by going on the iCloud web app.

The method described by the team at Sunrise do not seem to fit with any of these methods. And so I'd like to know how a startup can openly (and apparently with the support of Apple) have access to Apple's servers.

Answer 1

They moved the portion of the code that did the authentication to the client. So if you know how to authenticate with iCloud on your server, you know how to do it on the client. On the client, an authorization request is made and if that succeeds, the authorization token is then sent to the server. This token is valid for a certain amount of time (or indefinitely). The server uses the token when sending requests to Apple.

If I recall correctly, Apple uses Kerberos for iCloud. So after authentication, the server creates a ticket, which then any client can use for requests. The ticket is what is sent to the server.