It is unclear whether CFBundleURLTypes settings is still necessary on iOS

[KKamishima]

Describe the bug It is unclear whether CFBundleURLTypes settings is still necessary on iOS, because there are discrepancies between the document and the example code.

To Reproduce The current README.md does not mention about anything about necessary settings in Info.plist, namely CFBundleURLTypes which is necessary to let the app handle a custom scheme. https://github.com/openid/AppAuth-iOS/blob/master/README.md

On the other hand, the provided Example code DOES contain such settings. https://github.com/openid/AppAuth-iOS/blob/master/Examples/Example-iOS_ObjC/Source/Info.plist

In fact, as long as I tested on my iOS 15 device, no such settings are required.

What is the truth? Give me a sign!

Expected behavior There shall be a clear statement on the document whether CFBundleURLTypes settings is necessary or not. In case it is necessary it shall contain a description on why it is necessary. Also, the Example code shall follow the statement on the document. If it were not necessary, such redundant settings shall be removed from the code.

Screenshots N/A

Environment

• Device: iPhone 8
• OS: iOS 15.4
• Browser: Safari
• App framework: Flutter

Additional context I had a brief discussion on the matter with MaikuB, who is the author of flutter_appauth package. https://github.com/MaikuB/flutter_appauth/issues/342

The article from Apple on the relevant APIs are not that clear in the first place. They do not mention anything about required configurations in your app; they may be implying it by using the word 'custom scheme' but who knows? https://developer.apple.com/documentation/authenticationservices/authenticating_a_user_through_a_web_service According to this passage, it may be handled internally in the browser (probably via its hooking mechanism) and not let the OS handle the custom scheme, which requires the said configurations in Info.plist.

After the user authenticates, the authentication provider redirects the browser to a URL that uses the callback scheme. The browser detects the redirect, dismisses itself, and passes the complete URL to your app by calling the closure you specified during initialization.

[olvrlrnz]

I had the same problem on macOS. I was wondering why everything worked without the Apple Event handler being called. I found my answer in the headerdoc of ASWebAuthenticationSession:

The callback URL usually has a custom URL scheme. For the app to receive the callback URL, it needs to either register the custom URL scheme in its Info.plist, or set the scheme to callbackURLScheme argument in the initializer.

As you can see here, callbackURLScheme is set when initializing the ASWebAuthenticationSession. So from my understanding the code is correct but the example is wrong.