Universal login broken on homescreen app in iOS 12.2

Universal login is not working on iOS 12.2 when saving it to homescreen.

I created a web app. In Safari it works perfectly. However, when I save it to the homescreen i get the error "Invalid token ´state´ does not match.

There is no simple way to debug a web app saved to homescreen but, sprinkling lots of alerts in the Auth0 source code I’ve narrowed it down to auth0 is trying to fetch the cookie before it returns from the Universal login back to the site. Here’s what I’ve observed:

Running in Safari

Open app url (would have put link to app, but apparently that is not allowed for new user :exploding_head:
Click login
Generates state and nonce and stores it in cookie (com.auth0.auth.statevalue)
Redirects to Universal login with state value as a parameter (/login?state=statevalue)
User logs in
Redirects to app url with the state value as part of the hash (#accesstoken=someaccesstoken&state=statevalue)
Gets state value stored in cookie
Compares state value from cookie with state value from hash
Logged in!

Running as homescreen app (webclip)

Click login
Generates state and nonce and stores it in cookie (com.auth0.auth.statevalue)
Redirects to Universal login with state value as a parameter (/login?state=statevalue)
User logs in
Redirects to app url with the state value as part of the hash (#accesstoken=someaccesstoken&state=statevalue)
Gets state value stored in cookie → no cookie present!!
Compares state value from cookie with state value from hash
Error → ´state´ does not match

If I check the cookie afterwards (document.cookie) it is there. It shouldn’t be since the auth0-js should have removed it. Doing the same check when opened in Safari the cookie has been correctly removed.

I suspect when opened as a homescreen app, auth0 tries to get the cookie before it has completely returned to site. It will therefore not find the token. The login fails and the and the cookie is not removed.

For testing, I have commented out the part of the storage handler that forces it to use cookies.

  this.storage = new CookieStorage();
  if (options.__tryLocalStorageFirst !== true) {
    return;
  }

This makes it use localstorage and then everything works.

Here is my test application: https://test-35763.firebaseapp.com/

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?

I made a very hacky workaround using a setTimeout. It works but obviously it is not a preferred solution. So yes, I would very much appreciate further assistance.

Hey there!

Terribly sorry for the delay in response again. It’s iOS 13 now and as far as I know regarding the updates from the team responsible for Universal Login it should be fixed by now so I’m closing this topic but feel free to ping me via DM if you still struggle with that so I can reopen that topic.

Once more sorry for the delay!