openid · w-goog · Apr 14, 2026 · Apr 14, 2026 · Apr 14, 2026 · Apr 14, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+# 2.1.0
+- Removed external browser (Safari) fallback from `OIDExternalUserAgentIOS`. If `ASWebAuthenticationSession` fails to start (e.g., Guided Access is enabled), the authorization flow now fails with an error instead of opening an external browser.
+
 # 2.0.0
 - Raise minimum supported iOS version to iOS 12. ([#918](https://github.com/openid/AppAuth-iOS/pull/918))
 - Remove deprecated `[UIApplication openURL:]` method to compile with Xcode 16. ([#911](https://github.com/openid/AppAuth-iOS/pull/911))

diff --git a/README.md b/README.md
@@ -41,9 +41,7 @@ For tvOS, AppAuth implements [OAuth 2.0 Device Authorization Grant
 
 AppAuth supports iOS 12 and above.
 
-iOS 9+ uses the in-app browser tab pattern
-(via `SFSafariViewController`), and falls back to the system browser (mobile
-Safari) on earlier versions.
+Authentication is performed using `ASWebAuthenticationSession`.
 
 #### Authorization Server Requirements
 

diff --git a/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.h b/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.h
@@ -40,9 +40,7 @@ API_UNAVAILABLE(macCatalyst)
 
 /*! @brief The designated initializer.
     @param presentingViewController The view controller from which to present the authentication UI.
-    @discussion The specific authentication UI used depends on the iOS version and accessibility
-        options. iOS 12+ uses @c ASWebAuthenticationSession (unless Guided Access is on),
-        otherwise local browser is used.
+    @discussion The specific authentication UI used depends on the iOS version and accessibility options. Uses @c ASWebAuthenticationSession. If Guided Access is enabled or the session cannot be started, the method returns NO and the authorization flow fails with an error.
  */
 - (nullable instancetype)initWithPresentingViewController:
     (UIViewController *)presentingViewController
@@ -52,8 +50,7 @@ API_UNAVAILABLE(macCatalyst)
     @param presentingViewController The view controller from which to present the browser.
     @param prefersEphemeralSession Whether the caller prefers to use a private authentication
         session. See @c ASWebAuthenticationSession.prefersEphemeralWebBrowserSession for more.
-    @discussion Authentication is performed with @c ASWebAuthenticationSession (unless Guided Access
-        is on), setting the ephemerality based on the argument.
+    @discussion Authentication is performed with @c ASWebAuthenticationSession, setting the ephemerality based on the argument. If Guided Access is enabled or the session cannot be started, the method returns NO and the authorization flow fails with an error.
  */
 - (nullable instancetype)initWithPresentingViewController:
     (UIViewController *)presentingViewController

diff --git a/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.m b/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.m
@@ -133,12 +133,9 @@ - (BOOL)presentExternalUserAgentRequest:(id<OIDExternalUserAgentRequest>)request
       openedUserAgent = [authenticationVC start];
     }
   }
-  // If all else failed use the local browser.
-  if (!openedUserAgent){
-    [[UIApplication sharedApplication] openURL:requestURL
-                                       options:@{}
-                             completionHandler:nil];
-    openedUserAgent = YES;
+  if (!openedUserAgent) {
+    [self cleanUp];
+    return NO;
   }
 
   return openedUserAgent;