From 2d110135b433ef5bf5aa97bcc5ea67035f8af5bf Mon Sep 17 00:00:00 2001 From: Worthing ~ <115107835+w-goog@users.noreply.github.com> Date: Tue, 14 Apr 2026 15:57:09 -0700 Subject: [PATCH 1/4] fix: remove external browser fallback from OIDExternalUserAgentIOS --- Sources/AppAuth/iOS/OIDExternalUserAgentIOS.m | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.m b/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.m index 7a3fa2278..95acdc16c 100644 --- a/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.m +++ b/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.m @@ -133,12 +133,9 @@ - (BOOL)presentExternalUserAgentRequest:(id)request openedUserAgent = [authenticationVC start]; } } - // If all else failed use the local browser. - if (!openedUserAgent){ - [[UIApplication sharedApplication] openURL:requestURL - options:@{} - completionHandler:nil]; - openedUserAgent = YES; + if (!openedUserAgent) { + [self cleanUp]; + return NO; } return openedUserAgent; From 09be3416f1356ac04db831e1b7ba105f1402b1aa Mon Sep 17 00:00:00 2001 From: Worthing ~ <115107835+w-goog@users.noreply.github.com> Date: Tue, 14 Apr 2026 16:01:41 -0700 Subject: [PATCH 2/4] docs: update OIDExternalUserAgentIOS header to reflect removal of browser fallback --- Sources/AppAuth/iOS/OIDExternalUserAgentIOS.h | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.h b/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.h index 4ab6c7452..ff61455f1 100644 --- a/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.h +++ b/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.h @@ -40,9 +40,7 @@ API_UNAVAILABLE(macCatalyst) /*! @brief The designated initializer. @param presentingViewController The view controller from which to present the authentication UI. - @discussion The specific authentication UI used depends on the iOS version and accessibility - options. iOS 12+ uses @c ASWebAuthenticationSession (unless Guided Access is on), - otherwise local browser is used. + @discussion The specific authentication UI used depends on the iOS version and accessibility options. Uses @c ASWebAuthenticationSession. If Guided Access is enabled or the session cannot be started, the method returns NO and the authorization flow fails with an error. */ - (nullable instancetype)initWithPresentingViewController: (UIViewController *)presentingViewController @@ -52,8 +50,7 @@ API_UNAVAILABLE(macCatalyst) @param presentingViewController The view controller from which to present the browser. @param prefersEphemeralSession Whether the caller prefers to use a private authentication session. See @c ASWebAuthenticationSession.prefersEphemeralWebBrowserSession for more. - @discussion Authentication is performed with @c ASWebAuthenticationSession (unless Guided Access - is on), setting the ephemerality based on the argument. + @discussion Authentication is performed with @c ASWebAuthenticationSession, setting the ephemerality based on the argument. If Guided Access is enabled or the session cannot be started, the method returns NO and the authorization flow fails with an error. */ - (nullable instancetype)initWithPresentingViewController: (UIViewController *)presentingViewController From 16885bdc116f2165b4d07f2ebb20f05a28ef096d Mon Sep 17 00:00:00 2001 From: Worthing ~ <115107835+w-goog@users.noreply.github.com> Date: Tue, 14 Apr 2026 16:01:30 -0700 Subject: [PATCH 3/4] docs: update README iOS section to reflect ASWebAuthenticationSession-only --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index 540feda72..c9f44a41c 100644 --- a/README.md +++ b/README.md @@ -41,9 +41,7 @@ For tvOS, AppAuth implements [OAuth 2.0 Device Authorization Grant AppAuth supports iOS 12 and above. -iOS 9+ uses the in-app browser tab pattern -(via `SFSafariViewController`), and falls back to the system browser (mobile -Safari) on earlier versions. +Authentication is performed using `ASWebAuthenticationSession`. #### Authorization Server Requirements From 24a55455fab94723f7d78b9df2b89336faa481d2 Mon Sep 17 00:00:00 2001 From: Worthing ~ <115107835+w-goog@users.noreply.github.com> Date: Tue, 14 Apr 2026 16:01:27 -0700 Subject: [PATCH 4/4] docs: add CHANGELOG entry for browser fallback removal --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d86a0f705..4898d56c7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +# 2.1.0 +- Removed external browser (Safari) fallback from `OIDExternalUserAgentIOS`. If `ASWebAuthenticationSession` fails to start (e.g., Guided Access is enabled), the authorization flow now fails with an error instead of opening an external browser. + # 2.0.0 - Raise minimum supported iOS version to iOS 12. ([#918](https://github.com/openid/AppAuth-iOS/pull/918)) - Remove deprecated `[UIApplication openURL:]` method to compile with Xcode 16. ([#911](https://github.com/openid/AppAuth-iOS/pull/911))