Skip to content

feat(ios): support HTTPS callback URLs via ASWebAuthenticationSessionCallback (iOS 17.4+)#486

Open
brian-ouellette-cb wants to merge 1 commit into
proyecto26:developfrom
brian-ouellette-cb:feat/ios-https-callback-url-support
Open

feat(ios): support HTTPS callback URLs via ASWebAuthenticationSessionCallback (iOS 17.4+)#486
brian-ouellette-cb wants to merge 1 commit into
proyecto26:developfrom
brian-ouellette-cb:feat/ios-https-callback-url-support

Conversation

@brian-ouellette-cb

@brian-ouellette-cb brian-ouellette-cb commented Jun 24, 2026

Copy link
Copy Markdown

Summary

iOS 17.4 introduced ASWebAuthenticationSessionCallback, which allows ASWebAuthenticationSession to use HTTPS Universal Link URLs as OAuth redirect callbacks — not just custom URL schemes. This is important for apps using associated domains (e.g. https://example.com/oauth/callback) rather than custom schemes like myapp://oauth/callback.

What changed

  • Detect when redirectURL uses the https scheme.
  • On iOS 17.4+, create an ASWebAuthenticationSessionCallback using callbackWithHTTPSHost:path: instead of passing callbackURLScheme:.
  • Fall back to the existing callbackURLScheme behavior for custom URL schemes and for iOS < 17.4.

All existing behavior for custom URL scheme redirects is preserved.

Why this matters

Apps that implement Universal Links for OAuth callbacks (required by some OAuth providers and increasingly expected by modern auth standards) were previously blocked from using ASWebAuthenticationSession through this library. With this change, an HTTPS redirect URI works end-to-end on iOS 17.4+.

How it works

// New path — iOS 17.4+, HTTPS redirect URL
ASWebAuthenticationSessionCallback *httpsCallback =
  [ASWebAuthenticationSessionCallback callbackWithHTTPSHost:redirectNSURL.host
                                                       path:redirectNSURL.path.length ? redirectNSURL.path : @"/"];
webAuthSession = [[ASWebAuthenticationSession alloc]
  initWithURL:url
  callback:httpsCallback
  completionHandler:completionHandler];

// Existing path — custom URL scheme or iOS < 17.4 (unchanged)
webAuthSession = [[ASWebAuthenticationSession alloc]
  initWithURL:url
  callbackURLScheme:callbackScheme
  completionHandler:completionHandler];

The compile-time #if defined(__IPHONE_17_4) guard ensures the code compiles cleanly against SDKs older than 17.4.

Possibly related issues

Test plan

  • Build and run the example app targeting iOS 17.4+ simulator/device with an HTTPS redirect URI — confirm the OAuth flow completes and callbackURL is returned correctly.
  • Build and run with a custom scheme redirect URI on iOS 17.4+ — confirm fallback behavior is unchanged.
  • Build and run on iOS < 17.4 device/simulator — confirm fallback to callbackURLScheme and no build errors.
  • Build against an older Xcode SDK (pre-17.4 headers) — confirm no compile error due to the #if defined(__IPHONE_17_4) guard.

…Callback

On iOS 17.4+, ASWebAuthenticationSession gained support for HTTPS
Universal Link callbacks via ASWebAuthenticationSessionCallback.
Previously, only custom URL schemes were supported for the redirect,
which required registering a custom scheme and prevented use of standard
HTTPS OAuth redirect URIs (e.g. for Universal Links / associated domains).

This change detects when the redirectURL uses the https scheme and, on
iOS 17.4+, creates an ASWebAuthenticationSessionCallback using
callbackWithHTTPSHost:path: instead of passing a callbackURLScheme.
Older iOS versions fall back to the existing custom scheme behavior.
@brian-ouellette-cb

Copy link
Copy Markdown
Author

@jdnichollsc LMK what you think here, tested this working via local patch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant