starred/OAuthSwift

Fork 0

mirror of https://github.com/OAuthSwift/OAuthSwift.git synced 2026-04-26 20:55:57 +03:00

[GH-ISSUE #653] 🐛 Invalid URL built when ASWebAuthenticationSession returns an error #428

New issue

Closed

opened 2026-03-03 16:48:36 +03:00 by kerem · 4 comments

kerem commented

2026-03-03 16:48:36 +03:00

Owner

Originally created by @phatblat on GitHub (May 3, 2021).
Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/653

Description:

When a non-nil error is returned to the ASWebAuthenticationSession completion handler provided by this library, a URL is built using only the scheme and some query string parameters.

let urlString = "\(self.callbackUrlScheme)?error=\(msg ?? "UNKNOWN")"

This results in a URL like the following being constructed:

"customScheme?error=The%20operation%20couldn%E2%80%99t%20be%20completed.%20(com.apple.AuthenticationServices.WebAuthenticationSession%20error%201.)"

Note that the guard let url = URL(string: urlString) is not sufficient to catch this because the url variable does end up with an instance of URL. The problem comes when the URL is opened with UIApplication.shared.open(url):

2021-05-03 15:18:43.500540-0600 KPConsumerAuth_Example[65804:1976592] [default] Failed to open URL customScheme?error=The%20operation%20couldn%E2%80%99t%20be%20completed.%20(com.apple.AuthenticationServices ... or%201.): Error Domain=NSOSStatusErrorDomain Code=-50 "invalid input parameters" UserInfo={NSDebugDescription=invalid input parameters, _LSLine=234, _LSFunction=-[_LSDOpenClient openURL:options:completionHandler:]}

Note that the success case is not affected as the callback URL passed to the completion handler is opened without any modification.

UIApplication.shared.open(successURL, options: [:], completionHandler: nil)

OAuth Provider? (Twitter, Github, ..):

PingFederate

OAuth Version:

Version 1
Version 2

OS (Please fill the version) :

iOS : 14.5
OSX :
TVOS :
WatchOS :

Installation method:

Carthage
CocoaPods
Swift Package Manager
Manually

Library version:

head
v2.1.0
v2.0.0
v1.4.1
other: (Please fill in the version you are using.)

Xcode version:

12.5 (Swift 5.4)
11.4 (Swift 5.2)
11.x (Swift 5.1)
10.x (Swift 5.0)
other: (Please fill in the version you are using.)
objective c

Originally created by @phatblat on GitHub (May 3, 2021). Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/653 ### Description: When a non-nil error is returned to the `ASWebAuthenticationSession` completion handler provided by this library, a URL is built using only the scheme and some query string parameters. ```swift let urlString = "\(self.callbackUrlScheme)?error=\(msg ?? "UNKNOWN")" ``` This results in a URL like the following being constructed: ``` "customScheme?error=The%20operation%20couldn%E2%80%99t%20be%20completed.%20(com.apple.AuthenticationServices.WebAuthenticationSession%20error%201.)" ``` Note that the `guard let url = URL(string: urlString)` is not sufficient to catch this because the `url` variable does end up with an instance of `URL`. The problem comes when the URL is opened with `UIApplication.shared.open(url)`: > 2021-05-03 15:18:43.500540-0600 KPConsumerAuth_Example[65804:1976592] [default] Failed to open URL customScheme?error=The%20operation%20couldn%E2%80%99t%20be%20completed.%20(com.apple.AuthenticationServices ... or%201.): Error Domain=NSOSStatusErrorDomain Code=-50 "invalid input parameters" UserInfo={NSDebugDescription=invalid input parameters, _LSLine=234, _LSFunction=-[_LSDOpenClient openURL:options:completionHandler:]} Note that the success case is not affected as the `callback` URL passed to the completion handler is opened without any modification. ```swift UIApplication.shared.open(successURL, options: [:], completionHandler: nil) ``` ### OAuth Provider? (Twitter, Github, ..): PingFederate ### OAuth Version: - [ ] Version 1 - [x] Version 2 ### OS (Please fill the version) : - [x] iOS : 14.5 - [ ] OSX : - [ ] TVOS : - [ ] WatchOS : ### Installation method: - [ ] Carthage - [x] CocoaPods - [ ] Swift Package Manager - [ ] Manually ### Library version: - [ ] head - [x] v2.1.0 - [ ] v2.0.0 - [ ] v1.4.1 - [ ] other: (Please fill in the version you are using.) ### Xcode version: - [x] 12.5 (Swift 5.4) - [ ] 11.4 (Swift 5.2) - [ ] 11.x (Swift 5.1) - [ ] 10.x (Swift 5.0) - [ ] other: (Please fill in the version you are using.) - [ ] objective c

kerem closed this issue

2026-03-03 16:48:37 +03:00

kerem commented

2026-03-03 16:48:37 +03:00

Author

Owner

@phatblat commented on GitHub (May 3, 2021):

A big problem with the current approach of building callback URL with the error info is that this implementation assumes that the app is using a custom URL scheme. If the app were (only) using a universal link (https://example.com/redirect) as their OAuth redirect_uri, then there would be no way to return the info to the app. A URL of "https?error=blah" will generate the same error:

2021-05-03 15:39:42.534734-0600 KPConsumerAuth_Example[85161:2047207] [default] Failed to open URL https?error=The%20operation%20couldn%E2%80%99t%20be%20completed.%20(com.apple.AuthenticationServices.WebAuthenticationSe ... or%201.): Error Domain=NSOSStatusErrorDomain Code=-50 "invalid input parameters" UserInfo={NSDebugDescription=invalid input parameters, _LSLine=234, _LSFunction=-[_LSDOpenClient openURL:options:completionHandler:]}

@phatblat commented on GitHub (May 3, 2021): A big problem with the current approach of building callback URL with the error info is that this implementation assumes that the app is using a custom URL scheme. If the app were (only) using a universal link (`https://example.com/redirect`) as their OAuth `redirect_uri`, then there would be no way to return the info to the app. A URL of "https?error=blah" will generate the same error: > 2021-05-03 15:39:42.534734-0600 KPConsumerAuth_Example[85161:2047207] [default] Failed to open URL https?error=The%20operation%20couldn%E2%80%99t%20be%20completed.%20(com.apple.AuthenticationServices.WebAuthenticationSe ... or%201.): Error Domain=NSOSStatusErrorDomain Code=-50 "invalid input parameters" UserInfo={NSDebugDescription=invalid input parameters, _LSLine=234, _LSFunction=-[_LSDOpenClient openURL:options:completionHandler:]}

kerem commented

2026-03-03 16:48:37 +03:00

Author

Owner

@phatblat commented on GitHub (May 3, 2021):

Since the full redirect_uri isn't currently passed into ASWebAuthenticationURLHandler, it seems like the simplest tactical solution is to just insert : into this error URL.

An API change would be required to add errors to the OAuth client's redirect_uri

@phatblat commented on GitHub (May 3, 2021): Since the full `redirect_uri` isn't currently passed into `ASWebAuthenticationURLHandler`, it seems like the simplest tactical solution is to just insert `:` into this error URL. An API change would be required to add errors to the OAuth client's `redirect_uri`

kerem commented

2026-03-03 16:48:37 +03:00

Author

Owner

@phatblat commented on GitHub (May 3, 2021):

I discovered this issue when we upgraded to using Xcode 12.5. We had been working around the issue by passing our OAuth client's redirect_uri as the callbackURLScheme, but on iOS 14.5 this blows up:

2021-04-27 08:55:18.050259-0600 KPConsumerAuth_Example[50883:1438884] [AuthenticationSession] The provided scheme is not valid. A scheme should not include special characters such as ":" or "/".
2021-04-27 08:55:18.625019-0600 KPConsumerAuth_Example[50883:1438884] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: 'The provided scheme is not valid. A scheme should not include special characters such as ":" or "/".'

@phatblat commented on GitHub (May 3, 2021): I discovered this issue when we upgraded to using Xcode 12.5. We had been working around the issue by passing our OAuth client's redirect_uri as the `callbackURLScheme`, but on iOS 14.5 this blows up: > 2021-04-27 08:55:18.050259-0600 KPConsumerAuth_Example[50883:1438884] [AuthenticationSession] The provided scheme is not valid. A scheme should not include special characters such as ":" or "/". > 2021-04-27 08:55:18.625019-0600 KPConsumerAuth_Example[50883:1438884] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: 'The provided scheme is not valid. A scheme should not include special characters such as ":" or "/".'

kerem commented

2026-03-03 16:48:38 +03:00

Author

Owner

@phatblat commented on GitHub (May 4, 2021):

The issue with the callbackURLScheme is really an Apple API issue; ASWebAuthenticationURLHandler is merely a wrapper around it. Strange that Apple built this API without considering its own Universal Links technology, which would use redirect URLs with an https scheme.

@phatblat commented on GitHub (May 4, 2021): The issue with the [`callbackURLScheme`](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/2990952-init) is really an Apple API issue; `ASWebAuthenticationURLHandler` is merely a wrapper around it. Strange that Apple built this API without considering its own [Universal Links](https://developer.apple.com/ios/universal-links/) technology, which would use redirect URLs with an `https` scheme.