ASWebAuthenticationSession does not work for some reason for an OAuth Authorization Code grant

Hi there,

I'm having some trouble with getting a OAuth Authorization Code redirect with a custom scheme to work with ASWebAuthenticationSession.

I am trying to build an app that integrates with an authentication provider, in which I have configured like this:

  • Callback URL: myapp://auth

In my iOS app, I have define this as a custom scheme in my info.plist file.

<dict>
	<key>CFBundleURLTypes</key>
	<array>
		<dict>
			<key>CFBundleTypeRole</key>
			<string>Editor</string>
			<key>CFBundleURLName</key>
			<string>com.abc.def</string>
			<key>CFBundleURLSchemes</key>
			<array>
				<string>myapp</string>
			</array>
		</dict>
		<dict/>
	</array>
</dict>

Excuse the messy-ish code below, but I just want to see this work.

import SwiftUI

@main
struct MyApp: App {
    var body: some Scene {
        WindowGroup {
            AContentView()
                .onOpenURL { url in
                    print("Received URL in onOpenURL: \(url)")
                    Self.handleURL(url)
                }
        }
    }
    
    static func handleURL(_ url: URL) {
        print("Handled URL: \(url)")
    }
}

import AuthenticationServices

struct AContentView: View {
    @Bindable var viewModel = SomeViewModel()
    @State private var authSession: ASWebAuthenticationSession?
    @State private var presentationContextProvider = PresentationContextProvider()
    
    var body: some View {
        VStack {
            Button(action: doIt) {
                Text("Authenticate")
                
            }
        }
    }
    
    func doIt() {
        Task { @MainActor in
            await viewModel.onLaunchAsync() // this asynchronously gets some stuff that is used to build `viewModel.loginUrl`
            authenticate()
        }
    }
    
    func authenticate() {
        let authURL = viewModel.loginUrl! // Replace with your auth URL
        let callbackURLScheme = "myapp"

        authSession = ASWebAuthenticationSession(url: authURL, callback: .customScheme(callbackURLScheme)) { callbackURL, error in
            if let error = error {
                print("Authentication error: \(error.localizedDescription)")
                return
            }
            
            guard let callbackURL = callbackURL else {
                print("No callback URL")
                return
            }
            
            print("Callback URL: \(callbackURL)")
            MyApp.handleURL(callbackURL)
        }
        
        authSession?.presentationContextProvider = presentationContextProvider
        authSession?.start()
    }
}

class PresentationContextProvider: NSObject, ASWebAuthenticationPresentationContextProviding {
    func presentationAnchor(for session: ASWebAuthenticationSession) -> ASPresentationAnchor {
        return UIApplication.shared.windows.first!
    }
}

I'm running Proxyman, and can see the calls the iOS app makes.

When I click the "authenticate" button, I get the expected request to open Safari, and login to a web form provided by an authentication provider. Next, I am redirected to a "choose consents" page, where I can choose scopes. Finally, on this page, I click "Allow" at the bottom of this list of scopes, but instead of being 'sent' back to the app, the redirect doesn't work.

The final API call the web screen makes is to a /consent endpoint which replies with an HTTP 302, and a Location header as below: Location: myapp://auth#code=<something>.

This doesn't close the window, either in a simulator or a real device.

I can verify that my scheme is working correctly, as if I manually in Safari browse to myapp://auth#code=1234 it asks me if I want to open in my app, and I can see my print firing off.

Am I missing something? What am I doing wrong here?

While I could implement this myself using WKWebView / WKNavigationDelegate to intercept the new location, see if its my custom scheme, and then close it out, that seems hacky, and AFAIK ASWebAuthenticationSession should support my use-case.

Many thanks!

Answered by Systems Engineer in 797868022

Can you please file this through Feedback Assistant, ideally with a screen recording and/or repro case? ASWebAuthenticationSession uses WKNavigationDelegate under the hood, so it should be able to catch all the same things.

Interestingly, I left a simulator running for a long while and came back to my desk and hit the "authenticate" button.

The Safari view caused by using ASWebAuthenticationSession came up, was blank/invalid, and I got a callback from the authentication provider..

The header that caused this was:

Location: myapp://auth#state=17A26C7A-AFDE-4C3B-BA89-85FAA343F0DB&error=invalid_request_object&error_description=Expired%20jwt

I'm partially happy it worked at least once, but am also confused it doesn't work when it should

Can you please file this through Feedback Assistant, ideally with a screen recording and/or repro case? ASWebAuthenticationSession uses WKNavigationDelegate under the hood, so it should be able to catch all the same things.

ASWebAuthenticationSession does not work for some reason for an OAuth Authorization Code grant
 
 
Q