Crash with SIGABRT: The specified URL has an unsupported scheme. Only HTTP and HTTPS URLs are supported.

[awBSH]

Describe the bug Hello, we are randomly seeing crashes in our crash-reporting indicating

The specified URL has an unsupported scheme. Only HTTP and HTTPS URLs are supported.

When we saw this the first time (march 2020) , we added a check, that verifies that the URL-scheme is really http or https. But still this bug appears again. Besides that, the URL comes from a config and uses for sure only "https". Has anyone else seen such a crash yet?

To Reproduce Not reproducible, only reported as crash-report anonymously.

Smartphone (please complete the following information):

• Device: iPhone 6s
• OS: iOS 13.5.1
• Browser Safari
• Version unknown

Additional context It happens in AppAuth-iOS 1.0.0. The stacktrace of the crash points into AppAuth:

CoreFoundation
__exceptionPreprocess
libobjc.A.dylib
objc_exception_throw
CoreFoundation
+[NSException raise:format:]
SafariServices
-[SFSafariViewController initWithURL:configuration:]
SafariServices
-[SFAuthenticationViewController initWithURL:callbackURLScheme:usingEphemeralSession:presentationContextWindow:]
SafariServices
-[SFAuthenticationSession _startRequestingFromWebAuthenticationSession:inWindow:dryRun:]
AppAuth
-[OIDExternalUserAgentIOS presentExternalUserAgentRequest:session:] OIDExternalUserAgentIOS.m:114
AppAuth
-[OIDAuthorizationFlowSessionImplementation presentAuthorizationWithExternalUserAgent:callback:] OIDAuthorizationService.m:82
AppAuth
+[OIDAuthorizationService presentAuthorizationRequest:externalUserAgent:callback:] OIDAuthorizationService.m:415
AppAuth
+[OIDAuthState authStateByPresentingAuthorizationRequest:externalUserAgent:callback:] OIDAuthState.m:113
AppAuth
+[OIDAuthState(IOS) authStateByPresentingAuthorizationRequest:presentingViewController:callback:] OIDAuthState+IOS.m:32

[WilliamDenniss]

There's not a whole lot we can do with a non-reproducible bug unfortunately. I'll mark it as platform-bug for now, and we can see if there are any other reports of this.

[vegemanis]

I'm able to reproduce this consistently in my set up. Issue is actually that during the initialization of the login webpage, we return a redirect 302 response. Normally this is fine because it redirects to a normal login page, but a further downstream system that provides the login page url is responding with an error, so we're responding with a 302, and redirect location is our app schema since we don't have the url. We may fix this by returning a 500 error instead of a 302 for this, but I'm not sure it's appropriate to crash in this scenario. It crashes when starting the ASWebAuthenticationSession (same call stack as OP).