Problem
On iOS, when using ASWebAuthenticationSession (via authorizeAndExchangeCode with externalUserAgent: asWebAuthenticationSession or ephemeralAsWebAuthenticationSession), if the user leaves the auth flow in a half-finished state (e.g. the system consent dialog or the in-app browser is shown, then the app is backgrounded or killed without the user tapping Continue/Cancel), iOS can keep that session in a “pending” state.
When the user opens the app again (cold start), the system re-presents that pending session: the “[App Name] Wants to Use "[domain]" to Sign In” consent dialog appears immediately on launch, without the user tapping Sign In. This is confusing and looks like the app is starting auth on its own.
We use ephemeral sessions for all user-initiated sign-in (ephemeralAsWebAuthenticationSession), and in that flow the consent dialog does not appear. The unwanted dialog only appears on app launch, which strongly suggests it is a resumed/pending session from a previous run, not a new session started by our code.
Desired behaviour
A way to cancel or clear any pending ASWebAuthenticationSession at app startup so that:
- No stale consent dialog is shown when the app is opened.
- The user only sees auth UI when they explicitly tap Sign In (at which point we start a new, ephemeral session as today).
Proposed solution
Expose a Dart API that forwards to the native layer to cancel any active/pending session, for example:
- Option A:
Future<void> cancelPendingSession() (or similar) on FlutterAppAuth, implemented on iOS by calling cancel() on any ASWebAuthenticationSession instance the plugin or AppAuth-iOS still holds. - ASWebAuthenticationSession docs
- Option B: Document that the plugin does not hold a reference across app launches, and if that’s the case, document the limitation and any recommended workaround (e.g. user must complete or cancel the flow).
You would call this method early in app startup (e.g. after plugin/GetIt init, before showing the main UI) so that any session left pending from a previous run is cleared and not re-presented.
This has cause us problems when using conjunction with LocalAuth. As the biometric prompt and the Auth Dialogue start looping.
Environment
-Package version: flutter_appauth ^10.0.0
- Platform: iOS (real device and simulator)
- Flow: OAuth 2 / OIDC with B2C-style provider; redirect URI
msauth.[bundleId]://auth
Notes
We are not asking to change when the consent is shown for a new session (that’s an iOS behaviour). We only need a way to clear a previous session that is being re-presented on launch.
If the plugin or AppAuth-iOS does not retain a reference to the session across process restarts, we’d still find it helpful if that were documented, and we’re happy to contribute a PR if a cancel API is feasible on the native side.
Problem
On iOS, when using
ASWebAuthenticationSession(viaauthorizeAndExchangeCodewith externalUserAgent:asWebAuthenticationSessionorephemeralAsWebAuthenticationSession), if the user leaves the auth flow in a half-finished state (e.g. the system consent dialog or the in-app browser is shown, then the app is backgrounded or killed without the user tapping Continue/Cancel), iOS can keep that session in a “pending” state.When the user opens the app again (cold start), the system re-presents that pending session: the “[App Name] Wants to Use "[domain]" to Sign In” consent dialog appears immediately on launch, without the user tapping Sign In. This is confusing and looks like the app is starting auth on its own.
We use ephemeral sessions for all user-initiated sign-in (
ephemeralAsWebAuthenticationSession), and in that flow the consent dialog does not appear. The unwanted dialog only appears on app launch, which strongly suggests it is a resumed/pending session from a previous run, not a new session started by our code.Desired behaviour
A way to cancel or clear any pending ASWebAuthenticationSession at app startup so that:
Proposed solution
Expose a Dart API that forwards to the native layer to cancel any active/pending session, for example:
Future<void> cancelPendingSession()(or similar) onFlutterAppAuth, implemented on iOS by callingcancel()on anyASWebAuthenticationSessioninstance the plugin or AppAuth-iOS still holds. - ASWebAuthenticationSession docsYou would call this method early in app startup (e.g. after plugin/GetIt init, before showing the main UI) so that any session left pending from a previous run is cleared and not re-presented.
This has cause us problems when using conjunction with LocalAuth. As the biometric prompt and the Auth Dialogue start looping.
Environment
-Package version: flutter_appauth ^10.0.0
msauth.[bundleId]://authNotes
We are not asking to change when the consent is shown for a new session (that’s an iOS behaviour). We only need a way to clear a previous session that is being re-presented on launch.
If the plugin or AppAuth-iOS does not retain a reference to the session across process restarts, we’d still find it helpful if that were documented, and we’re happy to contribute a PR if a cancel API is feasible on the native side.