Universal login is not working on iOS 12.2 when saving it to homescreen.
I created a web app. In Safari it works perfectly. However, when I save it to the homescreen i get the error "Invalid token ´state´ does not match.
There is no simple way to debug a web app saved to homescreen but, sprinkling lots of alerts in the Auth0 source code I’ve narrowed it down to auth0 is trying to fetch the cookie before it returns from the Universal login back to the site. Here’s what I’ve observed:
Running in Safari
Open app url (would have put link to app, but apparently that is not allowed for new user
Click login
Generates state and nonce and stores it in cookie (com.auth0.auth.statevalue)
Redirects to Universal login with state value as a parameter (/login?state=statevalue)
User logs in
Redirects to app url with the state value as part of the hash (#accesstoken=someaccesstoken&state=statevalue)
Gets state value stored in cookie
Compares state value from cookie with state value from hash
Logged in!
Running as homescreen app (webclip)
Click login
Generates state and nonce and stores it in cookie (com.auth0.auth.statevalue)
Redirects to Universal login with state value as a parameter (/login?state=statevalue)
User logs in
Redirects to app url with the state value as part of the hash (#accesstoken=someaccesstoken&state=statevalue)
Gets state value stored in cookie → no cookie present!!
Compares state value from cookie with state value from hash
Error → ´state´ does not match
If I check the cookie afterwards (document.cookie) it is there. It shouldn’t be since the auth0-js should have removed it. Doing the same check when opened in Safari the cookie has been correctly removed.
I suspect when opened as a homescreen app, auth0 tries to get the cookie before it has completely returned to site. It will therefore not find the token. The login fails and the and the cookie is not removed.
For testing, I have commented out the part of the storage handler that forces it to use cookies.
this.storage = new CookieStorage();
if (options.__tryLocalStorageFirst !== true) {
return;
}
This makes it use localstorage and then everything works.
Here is my test application: https://test-35763.firebaseapp.com/