App rejected for Mac Catalyst due to opening external browser during Sign-In about googlesignin-ios HOT 41 OPEN

@tigernghk I'm doing what I can by raising this issue with colleagues internally who are able to reach out to Apple. Otherwise, @ostatnicky posted here that engaging with Apple Developer Technical Support helped to resolve the rejection.

I will be sure to post here if I receive any update.

from googlesignin-ios.

@mdmathias Ok, I’ll try to ask them.

from googlesignin-ios.

@mdmathias Yes, I'm waiting for a response from Apple reviewer...

from googlesignin-ios.

Thanks for the reply @ostatnicky. I appreciate it, and I'm sure that this is frustrating for you.

The answer you received seems to repeat the same information. I still don't understand it, as it implies that ASWebAuthenticationSession shouldn't be used on macOS, which doesn't make sense to me.

Good find regarding the deprecation of -[ASWebAuthenticationSession initWithURL:callbackURLScheme:completionHandler:]. I will point out that OIDExternalUserAgentIOS also uses this method, and it appears that iOS apps are not getting rejected for this reason. This leads me to think the deprecation is not the cause of this rejection, and gives me reason to suspect that the rejection is an error.

I'm not sure what I can do to help on my side, but I will reach out to colleagues and see if they have any ideas. On your side, perhaps you can ask for clarification on whether or not the reviewer is saying that ASWebAuthenticationSession shouldn't be used on macOS or Mac Catalyst?

I will follow up here if I learn anything.

from googlesignin-ios.

Thanks @mattisssa for the note. I will share this will my colleagues internally.

For you and others on this thread, I'm doing what I can to get clarification and resolution. I will be sure to follow up here when I have something to share.

from googlesignin-ios.

We are engaging with Apple to try to better understand this issue. Are you able to share your app name(s)? Please share them here if so. If you're not comfortable sharing on this thread, then please let me know if you'd be able to share if we found a more private mechanism. I can figure something out there.

@mdmathias our app name is LogDT - get things done & more. We have a version on the Mac App Store that has this issue (version 1.7.1 which was initially rejected but we got an exemption assuming we can fix it in the next version).

from googlesignin-ios.

@mdmathias Sure, our app is Done! – Happy Productivity. The current version in the AppStore already has the "poor experience flow" in the Sign In/Up, so you can try it.

It weird that there is no issue similar like this for the Facebook iOS SDK. But they have exactly the same flow.

from googlesignin-ios.

Thanks @startechm @ostatnicky and @isaacadariku. I will share these names with my colleagues and let you know what I hear.

from googlesignin-ios.

This issue is critical. All mac catalyst apps are rejected now.
I know external browser is the behaviour of API.
Are there any workaround or solution?

from googlesignin-ios.

My mac catalyst app update was just rejected for this same reason, but I am given the opportunity to have the released approved this time due to bug fixes. I definitely agree this is critical if Apple is really going to reject any future updates that use Google Sign In calling the default browser. I do plan to write to the review team to explain that the issue needs to be taken up directly with Apple and Google, and not every developer that uses Google Sign In for a macCatalyst app....we'll see how that goes.

from googlesignin-ios.

The quote from the app store review above is confusing to me. ASWebAuthenticationSession is used by AppAuth (and thus GoogleSignIn-iOS - what I call 'GSI' below) when running on Mac Catalyst, and is specifically made for authentication via 3rd party services. I'm not aware of any changes in Apple policy on this subject.

Moreover, neither GSI nor AppAuth use UIWebView. Are you perhaps creating your own UIWebView somewhere?

Can you confirm the versions of GSI and AppAuth you see in your app? One thing I noticed is that the SignInSample app doesn't declare a Mac Catalyst run destination. Can you verify that you have one for your app? I modified the SignInSample app and you should see something like the below:

Another thing: can you set a breakpoint in OIDAuthorizationService+IOS.m at this location? I want to make sure that the correct user agent is being created for your Mac Catalyst run destination. This is important because ASWebAuthenticationSession is used for the auth flow when using Mac Catalyst (the agent created should eventually call through to here).

from googlesignin-ios.

+1. The same here. I've been rejected with this reason too.

Apple: The user is taken to the default web browser to sign in or register for an account, which provides a poor user experience.

from googlesignin-ios.

They report seeing this pop-up window.

from googlesignin-ios.

Can you confirm the versions of GSI and AppAuth you see in your app? One thing I noticed is that the SignInSample app doesn't declare a Mac Catalyst run destination. Can you verify that you have one for your app? I modified the SignInSample app and you should see something like the below...

I don't think it's Catalyst related. It's macOS related. There is the same popup on the Mac destination in the Sample app.

from googlesignin-ios.

@ostatnicky are you able to inquire with the reviewer to understand what they want the macOS app to do instead? GSI (via AppAuth) uses ASWebAuthenticationSession, which will use the default browser on macOS for the auth flow (see the quote from the documentation below). This is out of our control and is by Apple's design. Additionally, ASWebAuthenticationSession is Apple's recommended solution for authentication; so, I'm pretty confused by the rejection per the terms mentioned above.

"In macOS, the system opens the user’s default browser if it supports web authentication sessions, or Safari otherwise."

https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession

from googlesignin-ios.

The quote from the app store review above is confusing to me. ASWebAuthenticationSession is used by AppAuth (and thus GoogleSignIn-iOS - what I call 'GSI' below) when running on Mac Catalyst, and is specifically made for authentication via 3rd party services. I'm not aware of any changes in Apple policy on this subject.

Moreover, neither GSI nor AppAuth use UIWebView. Are you perhaps creating your own UIWebView somewhere?

Can you confirm the versions of GSI and AppAuth you see in your app? One thing I noticed is that the SignInSample app doesn't declare a Mac Catalyst run destination. Can you verify that you have one for your app? I modified the SignInSample app and you should see something like the below:

Another thing: can you set a breakpoint in [`OIDAuthorizationService+IOS.m` at this location](https://github.com/openid/AppAuth-iOS/blob/master/Sources/AppAuth/iOS/OIDAuthorizationService%2BIOS.m#L36)? I want to make sure that the correct user agent is being created for your Mac Catalyst run destination. This is important because `ASWebAuthenticationSession` is used for the auth flow when using Mac Catalyst ([the agent created should eventually call through to here](https://github.com/openid/AppAuth-iOS/blob/master/Sources/AppAuth/iOS/OIDExternalUserAgentCatalyst.m#L81)).

The quote from the app store review above is confusing to me. ASWebAuthenticationSession is used by AppAuth (and thus GoogleSignIn-iOS - what I call 'GSI' below) when running on Mac Catalyst, and is specifically made for authentication via 3rd party services. I'm not aware of any changes in Apple policy on this subject.

Moreover, neither GSI nor AppAuth use UIWebView. Are you perhaps creating your own UIWebView somewhere?

Can you confirm the versions of GSI and AppAuth you see in your app? One thing I noticed is that the SignInSample app doesn't declare a Mac Catalyst run destination. Can you verify that you have one for your app? I modified the SignInSample app and you should see something like the below:

Another thing: can you set a breakpoint in [`OIDAuthorizationService+IOS.m` at this location](https://github.com/openid/AppAuth-iOS/blob/master/Sources/AppAuth/iOS/OIDAuthorizationService%2BIOS.m#L36)? I want to make sure that the correct user agent is being created for your Mac Catalyst run destination. This is important because `ASWebAuthenticationSession` is used for the auth flow when using Mac Catalyst ([the agent created should eventually call through to here](https://github.com/openid/AppAuth-iOS/blob/master/Sources/AppAuth/iOS/OIDExternalUserAgentCatalyst.m#L81)).

@mdmathias I am not creating my own UIWebView. I am just calling GIDSignIn.sharedInstance.signIn(withPresenting: self) from my view controller. I was able to reproduce with the embedded example. It appears that Apple may have changed their policy in that regard because in the past, my app was accepted (I never had this issue before). It appears that they don't want a browser to be opened externally but within the app.

I tried this with GSI version 7.0.0 and 7.1.0: both builds were rejected.
Regarding the SignInSample app, it does not have Mac Catalyst as a target (I had to configure one). I also noticed the same behavior if I use the Mac target (designed for iPad) [which was available without adding any new target].

Here is a screenshot of what I have after putting a breakpoint at the location you provided. Please let me know if there is any particular field you are interested in? (It is painfully slow / I can try to give you more information tomorrow if that works)

One more thing, I saw that another user posted the screenshot that Apple provided showing the reason why the app was rejected: I had the exact same screenshot (with a different app name though).

from googlesignin-ios.

@startechm thanks for following up. It does look like you're getting the ASWebAuthenticationSession that you're supposed to. If you look above, you will see my comment that this is how ASWebAuthenticationSession works on macOS. It will open the default browser and start the auth flow. I'm confused by the rejection because it runs counter to how ASWebAuthenticationSession works, and that type is what Apple tells us to use for auth flows. A policy change to use a web flow within a macOS app is essentially the same as saying, "Don't use ASWebAuthenticationSession," which hasn't been announced to my knowledge and would be a kind of deprecation of that type.

I suggest reaching out to the reviewer to ask why your app is getting rejected on macOS for using ASWebAuthenticationSession, which is what Apple says to use.

Link to the class for your convenience:

https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession

from googlesignin-ios.

@mdmathias Ok, I've got the response from the Apple reviewer:

Hello,

Thank you for your reply regarding the external login and Google SDK, and your attempted compliance with the 4.0 guidelines.

We advise to update to the latest Google SDK and use “SFSafariViewController” instead of “UIWebView”.

This will ensure that the app correctly implements an account authentication mechanism that does not link users out to Safari.

We look forward to reviewing your revised binary.

Best regards,

App Review

But from what I understand, you're using SFSafariViewController there, aren't you?

from googlesignin-ios.

@mdmathias When I read the documentation it looks that init(url:callbackURLScheme:completionHandler:) is going to be deprecated in iOS and Mac Catalyst 17.4. Maybe it's causing the whole issue here. And AppAuth is using it in OIDExternalUserAgentCatalyst.m on line 82.

https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession
https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/2990952-init

from googlesignin-ios.

@mdmathias I've asked the reviewer about if ASWebAuthenticationSession shouldn't be used on macOS or Mac Catalyst and it looks that there are non-technical people. It makes sense. @mdmathias Are you able to connect with Apple to resolve this issue?

Hello,

Thank you for your response. 

Regarding Guideline 4.0, should you require more assistance with resolving this issue, [Apple Developer Technical Support](https://developer.apple.com/support/technical/) is available to provide direct one-on-one support for discrete code-level questions.

Best regards,

App Review

from googlesignin-ios.

It's funny, I have a screen in my app that use WKWebView wrapped to UIViewController and just simply presented and the result looks much better with nice modal screen. But when you try to use SFSafariViewController all started to be mess on MacOS :D

from googlesignin-ios.

@startechm Did you resolve it somehow?

from googlesignin-ios.

@ostatnicky Unfortunately, I do not personally have the ability to directly connect with anyone at Apple on this. I have talked with colleagues internally and everyone is just as perplexed as we are. I still believe this rejection is a mistake.

That said, perhaps your next step is to schedule a meeting with Apple Developer Technical Support as the reviewer suggests. I imagine that person will look at the situation as we do.

from googlesignin-ios.

@startechm Did you resolve it somehow?
I have had multiple interactions with Apple but every time they send me about the same answer. I don't think they are technical also.

I was not able the resolve the issue on my end so I asked for an exemption (because I told them that the previous version worked like this and I will try to fix it in the next version) and they granted it to me but they said that I cannot submit a future version until this is fixed.

It appears that the issue is the fact that it should open a ViewController (so it looks like it is running within the app) instead of opening an external app. For iOS/iPhone it seems to be working as they expect. Would it be hard to fix the behavior so it opens a ViewController instead of an external app?

If you try to use for example "Firefox" as your default browser, it becomes more obvious that it is opening an external app (browser).

Not sure what can be done at this point. It is very difficult to contact Apple and get a good answer.

from googlesignin-ios.

@mdmathias @startechm I’ve sent a request for a technical meeting. We will see if they can give us some advice.

from googlesignin-ios.

We've received the same rejection reason for the last couple of versions. Our macOS app, not a Catalyst one, doesn't allow control over where the Google SDK redirects users for authentication.

Any advice on convincing the Apple review team? No success yet.

from googlesignin-ios.

Hi @ostatnicky @startechm @mattisssa. We are engaging with Apple to try to better understand this issue. Are you able to share your app name(s)? Please share them here if so. If you're not comfortable sharing on this thread, then please let me know if you'd be able to share if we found a more private mechanism. I can figure something out there.

from googlesignin-ios.

Hi @mdmathias. We have the same issue for macOS, our app name is "Reflection Journal & Prompts".

Here is a screenshot, if they will need the submission ID:

from googlesignin-ios.

@mdmathias Unfortunately, no one has yet replied to my request for the technical support from Apple.

from googlesignin-ios.

@mdmathias Oops, I missed the discussion.
It's Spellar AI

We passed the review a few times, compelling Apple to approve the submission due to critical bug fixes.

from googlesignin-ios.

@mdmathias Our app (Done!) was approved accidentaly without any further interaction. If this was due to you, thank you very much!

from googlesignin-ios.

Ok, I noticed that Apple Developer Technical Support answered me on Saturday.

I wrote them:

[…] This is out of our control and is by Apple's design. Additionally, ASWebAuthenticationSession is Apple's recommended solution for authentication; so, I'm pretty confused by the rejection per the terms mentioned above. "In macOS, the system opens the user’s default browser if it supports web authentication sessions, or Safari otherwise." https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession Can you give us some advice on how to solve this problem? [...]

The answer:

I've escalated this to the App Review Board to take a further look. The behavior described for ASWebAuthenticationSession is expected on macOS and Mac Catalyst. I'll follow up once I learn more about their results.

And the reviewer approved our app with a note:

Thank you for confirming that you will address the remaining issues in your next submission. We’re happy to help you deliver bug fixes to your users and will approve this submission at this time.

So Apple Technical team understands that, unfortunately I'm worried about whether the Review team does too.

from googlesignin-ios.

I do plan to write to the review team to explain that the issue needs to be taken up directly with Apple and Google, and not every developer that uses Google Sign In for a macCatalyst app....we'll see how that goes.

@ghb101, we've gone through 5-7 releases with the same rejection, and each time, we've tried to explain the issue to Apple. However, this has been utterly futile, as they've insisted that we "fix" the problem.

Passing the review every time by citing "critical bug fixes" is incredibly frustrating and time-consuming.

from googlesignin-ios.

We are doing our best to consult with counterparts at Apple. In the meantime, I think this message from ostatnicky indicates that working with Apple Developer Technical Support (ADTS) will result in an approved submission.

Perhaps if more apps reach out to ADTS, then app store review process will be updated more quickly?

from googlesignin-ios.

Google Sign In SDK depends on AppAuth SDK. I have changed code in AppAuth SDK to use WKWebView as embedded browser instead of ASWebAuthenticationSession for quick and dirty way to solve the problem. Specifically, I only have changed the file "OIDExternalUserAgentCatalyst.m". My app is approved eventually.

from googlesignin-ios.

@tigernghk Could you share the "dirty" code with us?

from googlesignin-ios.

FYI. Here is my modified code in OIDExternalUserAgentCatalyst.m:

https://github.com/tigernghk/AppAuth_WKWebView/blob/main/OIDExternalUserAgentCatalyst.m

from googlesignin-ios.

@tigernghk You shouldn't be using a WKWebView for authorization flows. Webviews are disallowed user agents for most identity providers. This is because the developers implementing the webview can inject JavaScript, read cookies, etc. In short, they are not secure for authorization.

from googlesignin-ios.

Thanks. I hope you can find better solution.

from googlesignin-ios.

@tigernghk Unfortunately, this is not a problem we can solve in GSI or AppAuth. I am of the position that these rejections are an error in app submission review process. The "fix" will come from there.

In any case, using a web view for authorization will likely lead to a 403 - disallowed_useragent error when using Sign in with Google. I highly recommend that you change using a web view for sign ins.

from googlesignin-ios.

We had the same issue. Thanks to this thread I managed to get approved with the following response to the Review team:

Guideline 4.0 - Design (Google Sign In)

"I've escalated this to the App Review Board to take a further look. The behavior described for ASWebAuthenticationSession is expected on macOS and Mac Catalyst. I'll follow up once I learn more about their results."

This is the answer of the Apple Technical Team. I'm sure that it's correct like it is in our app.

"Use an ASWebAuthenticationSession instance to authenticate a user through a web service, including one run by a third party. [...] In macOS, the system opens the user’s default browser if it supports web authentication sessions, or Safari otherwise.)"

Source: https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession

Feel free to copy this text for your review rejection.

from googlesignin-ios.