Problem statement
When users log in to our mobile application, they can see the dialog prompting them to save their credentials in their password manager, but the browser window closes too quickly for them to interact with it. This happens with different Auth0 SDKs. Reported so far:
auth0-cordova, Xamarin-based iOS, and Android mobile application
Symptoms
iOS users can see the dialog prompting them to save, but it closes too quickly for them to tap. Most Android users cannot even see the dialog.
Cause
This is a known bug with ASWebAuthenticationSession, see Logging in via WebView doesn't block on ios "Save Password" prompt · Issue #848 · AzureAD/microsoft-authentication-library-for-objc · GitHub
There is also an open issue at AppAuth for iOS (unrelated to Xamarin, but the same behavior on iOS): Login screen disappears with save to iCloud Keychain displayed · Issue #602 · openid/AppAuth-iOS · GitHub
Users have also reported the same behavior when using SFSafariViewController.
Solution
You can add a landing page (hosted by you) to your web auth flow that tells the user something like “You’ve successfully logged in!” and contains a “Done” or “Return to App” button that they can press once they’ve interacted with the Save Password prompt.
You can achieve this using a post-login Action to redirect the users to that landing page and resume the authentication flow once they click on the displayed link/button. In our documentation, you can find detailed instructions on how to redirect users from within an Action and how to resume the authentication flow:
Please note that we recommend using a button/link and not an automated redirection after x seconds because certain policies in Chrome could block this redirection. Automatic redirections cannot happen without any user interaction. This is to avoid spam websites opening unwanted Apps automatically.
In Chrome for Android pop-ups and redirections are blocked by default under Settings > Site Settings > Pop-ups and redirects. If the toggle is disabled (default), the browser won’t allow this: