Problem
"Sign in with Google/Apple" and other OAuth/SSO flows don't work in the WKWebView browser.
What happens
- Google detects the embedded WKWebView and shows "This browser or app may not be secure"
- ASWebAuthenticationSession opens but cookies don't transfer back to the main WKWebView
- Popup-based OAuth (window.open) loses the
window.opener reference
Current workaround
Use email/password login instead of SSO buttons. This works fine.
Code location
See BrowserController.swift:
startAuthSession() - ASWebAuthenticationSession attemptcreatePopupSync() / createPopup() - popup WebView for OAuthhandleAuthCallback() - callback URL parsing
Attempted solutions
- ASWebAuthenticationSession - Opens system browser but cookies don't sync back
- Shared WKProcessPool - Enabled cookie sharing but still doesn't work
- SFSafariViewController - Can't programmatically control it
- Custom user agent - Already spoofing as Safari, Google still detects WKWebView
Possible solutions to explore
- Use Safari directly via
open -a Safari and poll for cookies
- Inject JavaScript to intercept OAuth tokens before redirect
- Use a local proxy to capture OAuth redirects
- Deep link callback scheme that transfers tokens
Related
This is a known limitation of WKWebView. Many apps face this issue.
Contributions welcome!
Problem
"Sign in with Google/Apple" and other OAuth/SSO flows don't work in the WKWebView browser.
What happens
window.openerreferenceCurrent workaround
Use email/password login instead of SSO buttons. This works fine.
Code location
See
BrowserController.swift:startAuthSession()- ASWebAuthenticationSession attemptcreatePopupSync()/createPopup()- popup WebView for OAuthhandleAuthCallback()- callback URL parsingAttempted solutions
Possible solutions to explore
open -a Safariand poll for cookiesRelated
This is a known limitation of WKWebView. Many apps face this issue.
Contributions welcome!