feat(ios): natively intercept https redirect URIs via ASWebAuthenticationSession callback (iOS 17.4+)

[danchily2]

Fixes #987

Description

When the redirect URI is an https universal link, OIDExternalUserAgentIOS creates the session with callbackURLScheme:@"https" — a scheme ASWebAuthenticationSession does not support — so the session never intercepts the redirect. Flow completion then depends on the universal link opening the app from inside the auth session, which is not triggered by server-side redirects or JS navigation, and is sporadically dropped entirely. The result is an authorize() promise that never settles, with the user stuck on a permanently disabled login UI (also reported as #932; root cause tracked upstream since 2018 in openid/AppAuth-iOS#367, and the callbackURLScheme: initializer is deprecated per openid/AppAuth-iOS#847). The same failure class affects other SDKs (e.g. google/GoogleSignIn-iOS#388). The common workaround — a hosted "trampoline" page forwarding the callback to a custom scheme — reintroduces the custom scheme universal links were adopted to avoid, and the in-session JS hop is itself sporadically blocked by WebKit.

iOS 17.4 added ASWebAuthenticationSessionCallback callbackWithHTTPSHost:path:, which lets the session intercept an https redirect natively — no app-site-association timing dependency, no trampoline page, no custom scheme.

This PR adds RNAppAuthHTTPSExternalUserAgent (modeled on AppAuth's OIDExternalUserAgentIOS, including ephemeral-session and presentation-context handling) and uses it automatically when:

• no iosCustomBrowser is requested, and
• the redirect URI scheme is https, and
• running on iOS 17.4+.

Everything else — custom browsers, custom-scheme redirect URIs, iOS < 17.4 — keeps the existing behavior, so this is a progressive enhancement with no API surface change.

Notes per CONTRIBUTING:

• iOS-only by design: Android already supports https App Links redirects natively through AppAuth-Android's RedirectUriReceiverActivity intent filters, so there is no equivalent defect to replicate there.
• No JS/TypeScript surface change → no index.js/index.spec.js/typings/readme updates needed; yarn test and yarn lint are unaffected (native-only change).
• Changeset included (minor).

Steps to verify

Requirement: the https callback path needs the callback host registered as an associated domain with the webcredentials service type — both the com.apple.developer.associated-domains entitlement (webcredentials:example.com) and a webcredentials entry for the app in the domain's apple-app-site-association file. Without the association, the agent transparently falls back to the legacy callbackURLScheme session (AppAuth's default behavior), so apps without the association are unaffected.

1. Configure an OIDC provider with an https universal-link redirect URI, add the webcredentials associated domain (entitlement + AASA), and run on an iOS 17.4+ device or simulator.
2. Call authorize() and complete sign-in: the session intercepts the redirect itself — the sheet closes on the provider's 302 without loading the redirect page, and authorize() resolves with the token response.
3. Cancel the sheet: authorize() rejects with the user-cancelled error as before.
4. Remove the webcredentials association and repeat: the fallback path engages and behavior matches current main.
5. Run on iOS < 17.4 (or with iosCustomBrowser, or a custom-scheme redirect URI): behavior is unchanged from current main.

🤖 Generated with Claude Code

[vercel]

@danchily2 is attempting to deploy a commit to the formidable-labs Team on Vercel.

A member of the Team first needs to authorize it.

[changeset-bot]

🦋 Changeset detected

Latest commit: 44201c0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
react-native-app-auth	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR