Route ASWebAuthenticationSession URLs#524
Draft
bric3 wants to merge 3 commits into
Draft
Conversation
Apps like Slack and Claude Desktop use `ASWebAuthenticationSession` for SSO/OAuth sign-in flows. Those requests do not go through the normal http/https default-browser `Launch Services` path; macOS only forwards them to the default browser if it declares web authentication session support in `Info.plist`. Without that declaration, the system falls back to Safari before Finicky can apply any routing rules. https://developer.apple.com/documentation/authenticationservices/supporting-single-sign-on-in-a-web-browser-app#Declare-the-Session-Handling-Capability This declares Finicky as an `ASWebAuthenticationSession`-capable browser and register a session handler that forwards incoming authentication URLs through the existing URL handling pipeline. However, it does not declare ephemeral browser session support (`EphemeralBrowserSessionIsSupported`). Finicky routes URLs to another browser rather than owning the browsing context itself, so it cannot reliably guarantee that cookies, storage, or profile state are isolated for requests where `AuthenticationServices` asks for an ephemeral session. At this time, advertising only the base capability should be the minimal and honest thing to do, if this becomes an issue this choice can be re-evaluated.
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Install the ASWebAuthenticationSession handler before Finicky finishes its normal config bootstrap, so launches initiated by AuthenticationServices have a handler available immediately. Forward authentication requests through the normal URL resolver with a synthetic AuthenticationServices opener, while preserving best-effort callback completion for callback URLs that come back through Finicky. Keep the http/https URL type separate from the finicky scheme so Launch Services sees the browser URL claim cleanly.
Some ASWebAuthenticationSession clients require the selected browser to advertise callback URL matching before they will route SSO requests through it. Finicky can complete callbacks that re-enter Finicky, which preserves custom-scheme flows and gives callback-aware clients a route through the existing browser rules. This is intentionally best-effort: once Finicky forwards the initial auth URL to the concrete browser selected by user rules, it cannot observe subsequent navigations in that browser. Document that limitation next to the callback completion code. Do not declare ephemeral session support yet, because Finicky does not currently force an incognito or private session in the selected browser and should not claim stronger privacy semantics than it can provide.
jamtur01
added a commit
to jamtur01/grinch
that referenced
this pull request
May 15, 2026
The capability dict claimed support for ephemeral browser sessions (`shouldUseEphemeralSession`-flagged requests), but Grinch forwards auth URLs to the user's regular browser — which carries their existing cookies and profile state. Apple's contract for ephemeral sessions is "no cookies, no storage, no profile shared with normal browsing", and we can't honour that as a router. johnste/finicky#524 makes the same call with the same rationale. Apps that strictly require an ephemeral session now see the missing key and can fall back to a non-ephemeral flow rather than trusting an isolation guarantee that isn't actually delivered. Apps that don't request ephemeral (the vast majority) are unaffected. Inline comment in Info.plist documents the omission. Cargo.toml: add `NSUUID` and `NSUserActivity` features to objc2-foundation in preparation for the next two PR-#524-aligned changes (callback completion tracks request UUIDs; Universal-Links auth callbacks arrive via continueUserActivity:).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@johnste You maybe the one that may finish this, I cannot make this work locally, maybe this related to this constraint : https://bugzilla.mozilla.org/show_bug.cgi?id=1921535#c10
Since I'm signing this adhoc because i don;t have a developer account, this doesn't appear to work properly.
By the way I created this app (the archive contains sources only, so you'll have to build it), unsure if this is that useful: finicky-auth-session-test-source.tar.gz
Apps like Slack and Claude Desktop use
ASWebAuthenticationSessionfor SSO/OAuth sign-in flows. Those requests do not go through the normal http/https default-browserLaunch Servicespath; macOS only forwards them to the default browser if it declares web authentication session support inInfo.plist. Without that declaration, the system falls back to Safari before Finicky can apply any routing rules.https://developer.apple.com/documentation/authenticationservices/supporting-single-sign-on-in-a-web-browser-app#Declare-the-Session-Handling-Capability
This declares Finicky as an
ASWebAuthenticationSession-capable browser and register a session handler that forwards incoming authentication URLs through the existing URL handling pipeline.However, it does not declare ephemeral browser session support (
EphemeralBrowserSessionIsSupported). Indeed, Finicky routes URLs to another browser rather than owning the browsing context itself, so it cannot reliably guarantee that cookies, storage, or profile state are isolated for requests whereAuthenticationServicesasks for an ephemeral session.At this time, advertising only the base capability should be the minimal and honest thing to do, and this choice can be re-evaluated if this becomes an issue.
Should fix #405
Note, I'm not sure how to unit test that. The integration point
main.mis not, and this part rely on macOs Launch Services.