Description of the issue:
During the development of a new macOS app, I integrated with Auth0 for OAuth2 authentication. Somewhere along the way I updated the (default)
bundleIdentifier of my app to something like
co.somecompany.App, at which point authentication stopped working for both Brave and Chrome (Safari continued to work fine, however).
To quickly summarize, authenticating with OAuth2 requires a callback to the authenticating party. For apps running on devices (vs. services) and things behind firewalls, this doesn’t work. Simplistically, Apple (and others) opts for a callback using a custom scheme, specifically named after the
bundleIdentifier/application name, which the OS uses to invoking the app to continue/complete the authentication transaction.
The problem appears to be that the scheme gets lowercased by the browser. The callback invocation fails because there’s no app named
co.somecompany.app – it’s called
e.g. authenticating with a Google Account
Initiating an authentication flow produces a pop-up browser window, with Google’s authentication dialog.
I either choose my account from a list of accounts presented, at which point I then enter my password, OR I have only one account and I am led right into the password entry. Enter the right password, the dialog closes itself and the appropriate OAuth2 tokens can be retrieved/exchanged.
After entering in my password, the dialog hangs. If I inspect the popup window (using Developer Tools), I see in the console:
Failed to launch 'co.somecompany.app://somecompany.us.auth0.com/macos/co.somecompany.App/callback?code=dnj-5bgoogabooga&state=7zAem7EWMuLSSk6CZ3foobarblortN5qrD6sTiVayBgQ' because the scheme does not have a registered handler.
Note the difference in case, between the scheme and the identifier in the URL itself.
I traced the code into Apple’s API (which handles the pop-up securely), and it is receiving the scheme in capitalized form. And this works with Safari, which means Safari is handing back the scheme in proper capitalized form. So this has to do with Brave.
Brave Browser Beta 1.27.84
I tried this on latest Chrome as well, and it has the same problem.
Reproducible on current live release:
I’m using macOS Big Sur v11.4