Browser closing too quickly and can't save password when logging into mobile application

Problem statement

When users log in to our mobile application, they can see the dialog prompting them to save their credentials in their password manager, but the browser window closes too quickly for them to interact with it. This happens with different Auth0 SDKs. Reported so far:
auth0-cordova, Xamarin-based iOS, and Android mobile application

Symptoms

iOS users can see the dialog prompting them to save, but it closes too quickly for them to tap. Most Android users cannot even see the dialog.

Cause

This is a known bug with ASWebAuthenticationSession, see Logging in via WebView doesn't block on ios "Save Password" prompt · Issue #848 · AzureAD/microsoft-authentication-library-for-objc · GitHub

There is also an open issue at AppAuth for iOS (unrelated to Xamarin, but the same behavior on iOS): Login screen disappears with save to iCloud Keychain displayed · Issue #602 · openid/AppAuth-iOS · GitHub

Users have also reported the same behavior when using SFSafariViewController.

Solution

You can add a landing page (hosted by you) to your web auth flow that tells the user something like “You’ve successfully logged in!” and contains a “Done” or “Return to App” button that they can press once they’ve interacted with the Save Password prompt.

You can achieve this using a post-login Action to redirect the users to that landing page and resume the authentication flow once they click on the displayed link/button. In our documentation, you can find detailed instructions on how to redirect users from within an Action and how to resume the authentication flow:

Please note that we recommend using a button/link and not an automated redirection after x seconds because certain policies in Chrome could block this redirection. Automatic redirections cannot happen without any user interaction. This is to avoid spam websites opening unwanted Apps automatically.

In Chrome for Android pop-ups and redirections are blocked by default under Settings > Site Settings > Pop-ups and redirects. If the toggle is disabled (default), the browser won’t allow this: