Xamarin iOS app rejected on appstore for using safari auth

Hi, we have implemented auth0 on a xamarin forms app following the example on github.

Unfortunately the app got rejected on the iOS appstore for the following reason: “We noticed that the user is taken to Safari to sign in or register for an account, which provides a poor user experience.”

They say a solution would be:
“We recommend implementing the Safari View Controller API to display web content within your app.”

But I really have no idea to do something like that in Xamarin. Maybe someone has some example how to do this?
Thanks!

:wave: @nigmalab as you mentioned your application may be using a UIWebView, should be using SFSafariViewController I believe, to display the login page which as you experienced Apple will be rejecting apps that are implemented as such. Have you tried the following the OIDC examples GitHub - auth0-samples/auth0-xamarin-oidc-samples: Auth0 OIDC Client with Xamarin applications and/or the quick-start Auth0 Xamarin SDK Quickstarts: Login. We also had a recent new blog post about building a Xamarin forms app Developing Mobile Apps with Xamarin Forms and Azure Functions.

Hi, as I mentioned Apple told me that browser auth is prohibited. All your iOS samples use LoginAsync which even in docs says it uses the browser:

	// Summary:
	//     Launches a browser to log the user in.
	public Task<LoginResult> LoginAsync(object extraParameters = null);

I cannot understand how this can be the official docs/demos as they clearly violate apple’s terms and app will not get approved.
Hopefully we can find a solution as this problem is pending in my workflow for some time now.

Thanks.

Hey there!

Sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes the number of incoming questions is just too big for our bandwidth. Sorry for such inconvenience!

Do you still require further assistance from us?

Hi, yes some guidelines would be helpful. At the end I had to remove google login support from my iOS app because your tutorials/examples always insisted in the browser popup method which apple does not accept and I was not able to create my own webview version…

Any help would be appreciated, thanks.

Hey there @nigmalab!

So basically the core reason why wo do sign up / login popup instead of handling everything in the app is security concern. You can read more about various authorisation flows used by mobile apps or web apps here:

Unfortunately when it comes to Xamarin we still do not offer much of a content / quickstarts or articles regarding that. The only ting for now that we have and you can make use of is the repo that is maintained by community devs. You can find it here:

Hi there,
I completely understand that popup auth is used for security reasons. But as I said, its AGAINST APPLES RULES TO USE POPUP AUTH and I am completely certain about this because MY APP WAS REJECTED DUE TO THAT REASON.

Any kind of help would be really appreciated but its really weird that your tutorials for iOS are completely useless and against appstore rules and nobody seems aware of this issue…

Thanks anyways,
Helmuth

Sorry for the experience. Could you share with us the justification you get from Apple? Thank you!

This was over a year ago and I cannot find the exact text, but I found a case which looks just about the same:

Blockquote
10.6 : Apple and our customers place a high value on simple, refined, creative, well thought through interfaces. They take more work but are worth it. Apple sets a high bar. If your user interface is complex or less than very good, it may be rejected ----- 10.6 -----

Blockquote
We found the following issue with the user interface of your app:
The app opens a web page in mobile Safari for creating an account or logging in for Google+ account, then returns the user to the app. The user should be able to create an account or log in without opening Safari first.

Hey there!

Sorry for slight delay in response. I will dig into that and get back to you shortly!

Hey there!

Sorry for this delay in response by I needed to go through that with various product managers. It’s been the first time we encountered a situation like that. The browser part is compulsory here looking strictly at the security aspect. We know that it collides with the UI transition a bit but it provides the best safety.

Getting back to what you wrote, there are a lot of people implementing our iOS quickstarts or even developing more complex iOS apps and then releasing them to App store (both here in the community as well as our Enterprise customers and we’ve never experienced situation like that)

We would like to dig deeper into that. Is it possible you can ask them for more detailed explanation and guidance on how you should address that?

Hey there!

Have you had a chance to see my previous message?

Ping ping friendly ping :slight_smile:

Hi!
As I stated in some previous post

No popup is allowed, so the solution apple was proposing was the integrate the whole login thing into a webview so no transition happens. The issue is that I could not find the way to implement the webview. I could call the website somehow from the webview but no idea how to handle if the user logs in.

You don’t have to convince me, I completely understand, but apple thinks otherwise :wink:

Thanks,
Helmuth

Have you tried using the default implementation Browser Class AutoSelectBrowser?

AutoSelectBrowser is the default if you do not override the Browser option. It will create the appropriate UI based on the iOS Version

        // For iOS 12+ use ASWebAuthenticationSession
        if (UIDevice.CurrentDevice.CheckSystemVersion(12, 0))
            return ASWebAuthenticationSessionBrowser.Start(options);

        // For iOS 11 use SFAuthenticationSession
        if (UIDevice.CurrentDevice.CheckSystemVersion(11, 0))
            return SFAuthenticationSessionBrowser.Start(options);

        // For iOS 10 and earlier use SFSafariViewController
        return SFSafariViewControllerBrowser.Start(options);

Only the SFSafariViewController is a popup of safari. The others are embedded WebViews. They also display an alert to the user. This alert gives the user an indication that they are being redirected.

Hope this helps.

1 Like

I’ll make sure to relay that info to our product team to consider. For future reference make sure to report such things using our feature request feedback form here:

And please do give a try to what @rsatter suggested maybe that will work for them!

Have you had a chance to test what @rsatter suggested?

Friendly ping here @nigmalab :slight_smile: