ASWebAuthenticationSession provides no way to modify warning dialog

Question

I am trying to implement a few different authentication mechanisms with my iOS application. The key is that the iOS application is distributed via the App Store and the server that it connects to is open source. For this customers are expected to setup their own server. This works much like the RocketChat application works. When setting up a server the user can define what authentication providers they would like to use. All of the authentication data, client ids, secrets etc are stored server side. The server application uses passportjs to support a variety of different authentication strategies. This means things like oauth are done via the server with the oauth callbacks hitting a server url. From there the server can create/map the user to a local account after authentication where authorization/access is controlled with in the app.

When performing oauth for example the url would be something like:

https://customserver.com/authentication/google

From there, passportjs would redirect to google for authentication.

On to the problem, I need to launch something in iOS to start that authentication. Seems like the right thing to use in this case is ASWebAuthenticationSession. However when using ASWebAuthenticationSession there is a warning dialog that states the initial "customserver.com":

[App] wants to log in with “customserver.com” This allows the app and website to share information about you

While this is true, the server (using passportjs) will redirect to the authentication providers site. In this case let's use google oauth for example. That means that this modal warning is very confusing, it states that customserver.com is the authentication provider, when in fact passportjs is redirecting to google (or some other) authentication provider.

Although ASWebAuthenticationSession makes this flow extremely easy, the fact that it does not and probably cannot monitor the initial redirect to google, confuses the user. With that I have also looked at using SFSafariViewController and creating a deep link in the app to match the redirect scheme. Although not as clean as ASWebAuthenticationSession this does work as there is no modal dialog warning the user. I can even create my own custom modal dialog that would warn the user of the correct authentication site if I wanted.

This leads me to a couple of questions.

1. Is there anyway to get around or customize the message presented to the user when using ASWebAuthenticationSession?

2. Assuming the answer to #1 is no, is using SFSafariViewController an acceptable solution to workaround the message?

Answer 1

1. The only configuration possibility you have for that Modal as of iOS 15 is using CFBundleName to control the text part you indicate as [APP].

2. Yes, it is an acceptable workaround that will increase the maintenance and a tiny bit the complexity of your solution.

Security wise it is equivalent as long as you use SFViewController. The modal does not bring any additional assurance given how easy you can make a modal pass as a system approved one.

As an aside PKCE is a must on mobile app oauth2 flows.