Does AsWebAuthenticationsession support universal links?

Question

I use AsWebAuthenticationsession to authenticate from another application to my application. I open AsWebAuthenticationsession, and it redirects my application's universal links. The problem is when it redirects my application universal link, it asks to open the App Store. When it redirects I want to close the session. But AsWebAuthenticationsession only takes a custom URL Scheme. How can I handle it securely (because custom URL Schemes are not secure: RFC8252 7.1)

Answer 1

I can confirm this works as of iOS 14 or later, haven't tested on earlier versions though.

When you initialize your ASWebAuthenticationSession you can pass in callbackURLScheme: "https".

When the authentication provider redirects to your universal link, your app delegate's application(_:continue:restorationHandler:) will fire with the correct redirect url, however the ASWebAuthenticationSession's completion handler does not fire and therefore the authentication dialog remains on the screen.

You will need to save a reference to the ASWebAuthenticationSession and cancel() it manually to dismiss it instead.

Answer 2

As today (2024) the only way I made it work (specially with SwiftUI) was creating a lambda serverless service on AWS, I registered the redirect URL with a path auth\appLogin that handle the response from the OAuth 2.0 in my case the response type was code so I needed to call another API to get the accesss_token then respond with a redirect as URL Scheme registered on my app:

           resolve({
                statusCode: 302,
                headers: {
                    'Location': `myapp://callback?access_token=${JSON.parse(body).access_token}`
                }
            });

And this is my SwiftUI code

       if let authURL = URL(string: "\(baseURL)?response_type=\(responseType)&client_id=\(clientId)&redirect_uri=\(redirectUrl)&scope=\(scopesString)") {
           let scheme = "myapp" // Your app's custom URL scheme
           let session = ASWebAuthenticationSession(url: authURL, callbackURLScheme: scheme) { callbackURL, error in
               guard error == nil, let callbackURL = callbackURL else {
                   print("Authorization failed: \(String(describing: error))")
                   return
               }
               
               // Handle the authorization code from the callbackURL
               let queryItems = URLComponents(string: callbackURL.absoluteString)?.queryItems
               if let access_token = queryItems?.first(where: { $0.name == "access_token" })?.value {
                   print("Authorization token: \(access_token)")
               }
           }
           
           session.presentationContextProvider = contextProvider
           session.start()
       }

Also remember to register your URL Scheme :