openid / AppAuth-iOS

iOS and macOS SDK for communicating with OAuth 2.0 and OpenID Connect providers.
https://openid.github.io/AppAuth-iOS
Apache License 2.0
1.76k stars 772 forks source link

Universal link support #367

Open galsc-tr opened 5 years ago

galsc-tr commented 5 years ago

Hi,

Using SFSafariViewController to login and assuming I've setup Universal Link support for my iOS app on my domain, how do I leverage and redirect to my domain using universal login from within SFSafariViewController?

WilliamDenniss commented 5 years ago

You need to call [_currentAuthorizationFlow resumeExternalUserAgentFlowWithURL:url] from the method in your delegate that receives the universal link.

E.g. like this, but in the universal link method:

https://github.com/openid/AppAuth-iOS/blob/0c822671e56cedf159a6d27ccf0669b689c0f2b5/Examples/Example-iOS_ObjC/Source/AppDelegate.m#L50-L55

galsc-tr commented 5 years ago

How do I redirect from inside the HTML's WebView? (asking for both Android & iOS).

grEvenX commented 5 years ago

Is anyone using universal links in production for native apps, I haven't been able to find any examples and I'm struggling a lot with it myself. It works fine the first time (when I don't currently have an auth session and I'm not logged in on the provider) probably because the redirect then happens after a button click and not due to automatic redirection.

See other user with the same problem here: https://stackoverflow.com/questions/45239215/universal-link-fails-when-oauth2-login-page-redirects-immediately

To describe the issue I'm having:

  1. I open the app and it creates an OIDAuthorizationRequest
  2. I haven't authorised the app before, so after logging in at the OAuth Provider I see the "consent screen" where I can tap "authorize". The page is then redirected to the redirect URL, and the embedded browser/auth-view is automatically dismissed and I get the access/refresh tokens.
  3. The next time I try to create an OIDAuthorizationRequest I have already authorised the app and I am already logged in at the OAuth Provider, so it automatically redirects be to the redirect URL. When this happens I just see the page for the redirect URL in the embedded browser/auth-view. This is because the OS never forwards the request to the app, thus application(_ application: UIApplication, continue userActivity: NSUserActivity, restorationHandler: @escaping ([UIUserActivityRestoring]?) -> Void is never called.

(Btw, the README and the examples doesn't support Universal Links, because they rely on AppDelegate's application(_ app: UIApplication, open url: URL, options: [UIApplicationOpenURLOptionsKey : Any] = [:]) -> Bool instead of the continue userActivity as mentioned above).

lapinek commented 5 years ago

@grEvenX, as you are aware, this is not really an AppAuth-iOS specific issue. My (non-production) experience, which I described in #396, was that the authorization endpoint needs to be visited from an intermediate screen in order for Universal Links to be redirected to the app. In the case of the in-app browser tabs, the user needs to navigate to the authorization endpoint. With Safari, it appears, navigation/redirection to the authorization endpoint may occur automatically. Like I said in the other issue, I am not entirely sure why this has to apply to the authentication classes, which AppAuth uses in iOS 11 and 12. Looks like something overlooked by Apple and to be fixed by them.

diptiy commented 4 years ago

@WilliamDenniss, same issue is happening in my case as well. I am testing app on iOS simulator, and not on device. is there some dependency for this?

appdev-exaring commented 3 years ago

In my case, I don't even get a callback. None of the options open url or user activity. When I dump the request URL and paste it into the notes app and click the link there, everything works just fine. Any idea, what could have gone wrong?

DanCananau commented 3 years ago

I have the same issue as above. Universal link works fine from Notes, but is not triggered on a redirect from the identity provider. During the flow there is user interaction. Is there any response to this?

kunwar231 commented 3 years ago

Has anyone found an issue to this? On My app, a blank page opens on SFSafariViewController which says 0kb. but it doesn't redirects to the app. But the universal links are correctly implemented as I have checked by using the redirect url in the notes.

PankovSerge commented 2 years ago

Same here. I have implemented applinks with wildcard, but didn't get callback even for custom scheme. In case if wildcard not exist in entitlements, everything works as expected.

shobhitpuri commented 2 years ago

I'm having the same issue as everyone above. Has anyone been able to solve this? @PankovSerge Do universal link OAuth work from you if opened from a SFSafariViewController or ASWebAuthenticationSession within the app? iOS 15.2

Joren-Thijs-KasparSolutions commented 1 year ago

I am suffering the same issue today. The in-app browser opens. goes to IDP login screen. I login, and then i'm sent to a blank page (since my redirect uri points to a non existingwebpage) and get stuck there instead of closing the browser and returning to the app. Has anyone been able to get this working with universal links yet?

XiangloongChen commented 4 months ago

@Joren-Thijs-KasparSolutions Did you use ASWebAuthenticationSession? I've suffered the same issue for 3 days, and finally find out universal link is not supported as redirect URL when using ASWebAuthenticationSession.

So the workaround could be:

shobhitpuri commented 4 months ago

@XiangloongChen I ended up with custom schema, since it is safe to use custom schema with ASWebAuthenticationSession, which was made by Apple specifically for authentication purpose. The session information is not shared with Safari or any other apps, so the custom schema would only redirect within the specific app, even if any malicious app registers for it. The official documentation says:

ASWebAuthenticationSession ensures that only the calling app’s session receives the authentication callback, even when more than one app registers the same callback URL scheme.

Joren-Thijs-KasparSolutions commented 4 months ago

@XiangloongChen we ended up doing the same as @shobhitpuri and just used ASWebAuthenticationSession.

krishnaprasadkuchur commented 2 months ago

We've been running into the same issue for years now, and decided to stick around with custom schemes. (Given that another app cannot hijack a session initiated by our app). We did file a RADAR a couple of years ago with Apple, since we are not getting the callback once the universal link is loaded in some scenarios such as autofilled passwords from keychain. Yet to get a proper response from them.

I do see a new issue raised: https://github.com/openid/AppAuth-iOS/issues/847 , about switching over to a new init API. has anyone gotten a chance to verify if using this API: https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/init(url:callback:completionhandler:)-6nut7?language=objc makes any difference?

Moriya-Taichi commented 1 month ago

I am facing the same issue. To investigate whether the problem lies with AppAuth or ASWebAuthenticationSession, I wrote some simple code. I obtained the request URL from OIDAuthorizationRequest and set it as the URL for ASWebAuthenticationSession. I then compared two scenarios: setting the callbackURLScheme to the scheme of the redirect URL (in this case, https) similar to how it's done in AppAuth, and using the callback: ASWebAuthenticationSession.Callback with the universal link's host and path, which is available from iOS 17.4 onwards.

The results of the tests showed that using the current callbackURLScheme specification for ASWebAuthenticationSession did not trigger the completionHandler and did not work. However, when using the callback: ASWebAuthenticationSession.Callback specification available from iOS 17.4 onwards, the completionHandler was called, and it functioned correctly.

From these findings, I understand that AppAuth, which relies on ASWebAuthenticationSession, only works with custom URL schemes.

I verified with the following code.

let authRequest = OIDAuthorizationRequest(...)
let session = ASWebAuthenticationSession(
    url: authRequest.authorizationRequestURL(),
    callback: ASWebAuthenticationSession.Callback.https(
        host: <host>,
        path: <path>
    )
) { url, error in
    // working
}
session.presentationContextProvider = contextProvider
session.start()
let authRequest = OIDAuthorizationRequest(...)
let session = ASWebAuthenticationSession(
    url: authRequest.authorizationRequestURL(),
    callbackURLScheme: "https"
) { url, error in
    // not working
}
session.presentationContextProvider = contextProvider
session.start()