Safari not intercepting Universal Link after OAuth2 (Auth0) redirect

Question

NageekDC OP

Created 3w

Replies 1

Boosts 0

Participants 2

We have an issue where Safari on iOS is not handing off to our app after an Auth0 authentication redirect.

Issue

After a user completes sign-in via an Auth0-hosted login page in Safari, the callback redirect is followed as a plain HTTP navigation rather than being intercepted and handed off to the app.

Callback URL format https://identity.example.com/ios/com.example.app/callback

Steps to reproduce

Open an Auth0 /authorize URL in Safari on iOS with a redirect_uri pointing to a Universal Link callback, log in, and observe that Safari navigates to the callback URL as a plain HTTP request rather than launching the app.

What works

ASWebAuthenticationSession inside the app handles the same callback correctly.
Navigating directly to a Universal Link launches the app, confirming AASA and Universal Links are correctly configured on the affected devices.

The issue is specific to Safari intercepting the callback URL when it arrives as the result of an Auth0 redirect.

Affected devices

Reproducible across multiple devices and iOS versions from iOS 18.x through iOS 26.x.

Does Safari have a restriction on intercepting Universal Links that result from a cross-domain redirect?

Any guidance appreciated 🙏

Answer 1

DTS Engineer OP

Apple

2w

Thanks for the question, I do not know how your Universal Links and setup nor I can see your AASA file neither or your Xcode configuration.

Safari requires the user to trigger a Universal Link and break the user out of the browser into an app.

When a user logs in via Auth0, the final step is typically an HTTP 3XX server-side redirect from Auth0's domain back to your callback URL. Because this navigation is initiated by the server automatically, Safari suppresses the Universal Link behavior and simply loads the URL as a standard web page.

If the user is starting this login flow from your iOS app, you should not be sending them out to the Safari app. You should use ASWebAuthenticationSession. It is best practice for in-app authentication, provides a secure context, and perfectly handles the redirect back to the app without Universal Link redirect issues.

If the user is genuinely starting on the web, you cannot rely on an HTTP 302 redirect, but you can rely on Universal Links.

I’ll be interested in seeing your Universal Links and configuration to see what is the user customization.

The most important part is to follow this well written Tech Note TN3155: Debugging universal links | Apple Developer Documentation

Albert   Worldwide Developer Relations.