7
5
Fork
You've already forked apple
1

Firefox does not support AsWebAuthenticationSession #589

Open
opened 2026年03月02日 09:05:54 +01:00 by marijngiesen · 17 comments

There seems to be some new functionality that opens Safari when logging into EduVPN. This is super annoying when you don't use Safari as your browser. After logging in Safari keeps running and I have to quit it manually. Why is this changed? The previous versions allowed logging in using your default browser (which has my Bitwarden extension etc).

Please change this back to the way it used to work, or make it configurable.

There seems to be some new functionality that opens Safari when logging into EduVPN. This is super annoying when you don't use Safari as your browser. After logging in Safari keeps running and I have to quit it manually. Why is this changed? The previous versions allowed logging in using your default browser (which has my Bitwarden extension etc). Please change this back to the way it used to work, or make it configurable.

The reason why we changed this: #555

In macOS, the system opens the user’s default browser if it supports web authentication sessions, or Safari otherwise.

(Source: https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession)

It seems that Safari and Chrome support this, but e.g. Firefox does not. This came up in their issue tracker regarding another app as well: https://bugzilla.mozilla.org/show_bug.cgi?id=1921535

Which browser are you using? Can you find out their status regarding support for ASWebAuthenticationSession?

The reason why we changed this: https://codeberg.org/eduVPN/apple/issues/555 > In macOS, the system opens the user’s default browser if it supports web authentication sessions, or Safari otherwise. (Source: https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession) It seems that Safari and Chrome support this, but e.g. Firefox does not. This came up in their issue tracker regarding another app as well: https://bugzilla.mozilla.org/show_bug.cgi?id=1921535 Which browser are you using? Can you find out their status regarding support for `ASWebAuthenticationSession`?

Yeah, I'm using Firefox. So no AsWebAuthenticationSession yet.

Yeah, I'm using Firefox. So no `AsWebAuthenticationSession` yet.
fkooman changed title from (削除) EduVPN authorization always opens a Safari browser and not your default browser (削除ここまで) to Firefox does not support AsWebAuthenticationSession 2026年03月03日 16:14:45 +01:00

Seeing the same for Safari on the latest App Store release, unfortunately. Neither ungoogled chromium nor Safari managed to open an actual page, when closed they do open but won't navigate anywhere.

Seeing the same for Safari on the latest App Store release, unfortunately. Neither ungoogled chromium nor Safari managed to open an actual page, when closed they do open but won't navigate anywhere.

Which macOS are we talking about? I'm testing with macOS 15 and everything works exactly as expected: a new window just for the authentication/authorization is opened and gets focus.

It could be that "ungoogled chromium", like Firefox, doesn't support ASWebAuthenticationSession either?

Which macOS are we talking about? I'm testing with macOS 15 and everything works exactly as expected: a new window just for the authentication/authorization is opened and gets focus. It could be that "ungoogled chromium", like Firefox, doesn't support `ASWebAuthenticationSession` either?

I‘m on the latest macOS 26.3.1 on an M1 Max platform, haven‘t just seen with with ungoogled chromium but also Safari, unfortunately. I‘ve tried to see if I get output in Console.app but couldn’t identify anything meaningful. Tried building the repo locally but am unfamiliar with Swift/XCode and especially their local code signing process, so avoided that for now. If it helps I can try to put some effort in and get it building locally to provide more meaningful debugging traces.

Unfortunately this is a breaking bug for me as a user as my institution doesn’t permit permanent OVPN configs issued by users.

Edit: also tested with latest Google Chrome, unfortunately same result.

I‘m on the latest macOS 26.3.1 on an M1 Max platform, haven‘t just seen with with ungoogled chromium but also Safari, unfortunately. I‘ve tried to see if I get output in Console.app but couldn’t identify anything meaningful. Tried building the repo locally but am unfamiliar with Swift/XCode and especially their local code signing process, so avoided that for now. If it helps I can try to put some effort in and get it building locally to provide more meaningful debugging traces. Unfortunately this is a breaking bug for me as a user as my institution doesn’t permit permanent OVPN configs issued by users. Edit: also tested with latest Google Chrome, unfortunately same result.

Tested with Chrome on macOS 15 (Chrome set as default browser), works exactly as expected. Upgrading my MBP to macOS 26 now.

Tested with Chrome on macOS 15 (Chrome set as default browser), works exactly as expected. Upgrading my MBP to macOS 26 now.

I just tested on macOS 26.3.1 with eduVPN 4.0.7 (2309) with both Safari as default browser and Chrome as default browser, and everything works fine.

The only issue I found is that if you have Chrome as default browser it will also open a normal Chrome browsing session behind the authentication/authorization window and leave it open after the authentication/authorization is finished and the dedicated window for that is automatically closed.

Support for ASWebAuthenticationSession in other browsers, like "Ungoogled Chromium" is a bit tricky, as they'll have to implement support for that, just like Firefox needs to do.

I just tested on macOS 26.3.1 with eduVPN 4.0.7 (2309) with both Safari as default browser and Chrome as default browser, and everything works fine. The only issue I found is that if you have Chrome as default browser it will *also* open a normal Chrome browsing session _behind_ the authentication/authorization window and leave it open after the authentication/authorization is finished and the dedicated window for that is automatically closed. Support for `ASWebAuthenticationSession` in other browsers, like "Ungoogled Chromium" is a bit tricky, as they'll have to implement support for that, just like Firefox needs to do.

After logging in Safari keeps running and I have to quit it manually.

This I also see. It doesn't (really) close it... Not sure this is something we can fix, it might be up to Apple to do that.

> After logging in Safari keeps running and I have to quit it manually. This I also see. It doesn't (really) close it... Not sure this is something we can fix, it might be up to Apple to do that.

Well I'm on Version 4.0.7 (2309), macOS 26.3.1 (25D2128) and couldn't get it working with any mainline browser 😅

While I do get the "eduVPN.app" Wants to Use "uni-due.de" to Sign In" prompt (and the browser (e.g. Chrome, Safari)) opens, I neither get a seperate expected auth window nor a new tab.

Edit: I found the fix in this chromium bug report.

The workaround is killing the SafariLaunchAgents, afterwards the session initiates as expected.

Well I'm on Version 4.0.7 (2309), macOS 26.3.1 (25D2128) and couldn't get it working with any mainline browser 😅 While I do get the `"eduVPN.app" Wants to Use "uni-due.de" to Sign In"` prompt (and the browser (e.g. Chrome, Safari)) opens, I neither get a seperate expected auth window nor a new tab. Edit: I found the fix in [this chromium bug report](https://issues.chromium.org/issues/40840827). The workaround is killing the SafariLaunchAgents, afterwards the session initiates as expected.

I have the same issue in macOD 26.3.1. Safari, brave and chrome do not work. The Authorization webpage does not open.

I have the same issue in macOD 26.3.1. Safari, brave and chrome do not work. The Authorization webpage does not open.
Collaborator
Copy link

@wood When you first tried to authenticate on the 4.0.7 release, what was your default browser set to?

The workaround seems to be to kill the SafariLaunchAgent process, and try again. Do you think you can try that?

@wood When you first tried to authenticate on the 4.0.7 release, what was your default browser set to? The workaround seems to be to kill the SafariLaunchAgent process, and try again. Do you think you can try that?

Same issue happens on MacOS 14.8.5 with Firefox >= 149.x as default browser. Why at all was there any behavior change? I do not want to use Safari for authentication.

Same issue happens on MacOS 14.8.5 with Firefox >= 149.x as default browser. Why at all was there any behavior change? I do not want to use Safari for authentication.

FWIW; this new feature completely breaks x509 authentication on macOS, unless you install Brave/Chrome as default browser. A normal Safari browser would use a client-certificate, this new browser doesn't. So it is broken when the browser is Safari, or Firefox. I would love to see the old behaviour back.

FWIW; this new feature completely breaks x509 authentication on macOS, unless you install Brave/Chrome as default browser. A normal Safari browser would use a client-certificate, this new browser doesn't. So it is broken when the browser is Safari, or Firefox. I would love to see the old behaviour back.

It is not a new browser, it is "just" Safari without address bar. Why Apple decided that X.509 client certificate authentication shouldn't work when using Safari with ASWebAuthenticationSession is unclear to me. Maybe intentional, maybe a bug, who knows. Did you report this to Apple? Is there even a channel to report such things?

At this point I'm unsure how to proceed. There seem to be too many bugs everywhere, even with the browsers that implement ASWebAuthenticationSession 🤷

@roopc Any thoughts? How sure are we that Apple will still allow an app update without ASWebAuthenticationSession? Is it an option to use ASWebAuthenticationSession for the App Store version, and "Loopback" for the out-of-store version?

It is not a new browser, it is "just" Safari without address bar. Why Apple decided that X.509 client certificate authentication shouldn't work when using Safari with `ASWebAuthenticationSession` is unclear to me. Maybe intentional, maybe a bug, who knows. Did you report this to Apple? Is there even a channel to report such things? At this point I'm unsure how to proceed. There seem to be too many bugs everywhere, even with the browsers that implement `ASWebAuthenticationSession` 🤷 @roopc Any thoughts? How sure are we that Apple will still allow an app update without `ASWebAuthenticationSession`? Is it an option to use `ASWebAuthenticationSession` for the App Store version, and "Loopback" for the out-of-store version?
Collaborator
Copy link

It sounds weird that client certification auth doesn't work only with ASWebAuthenticationSession but otherwise works with Safari. I assume that the certificate is installed in the keychain, so it should work in both cases the same way. Let's test this and make sure this is indeed the case.

If we do find that this is the case, that's probably big enough for us to ditch ASWebAuthenticationSession. Then let's file an issue with Apple and submit an update with localhost-server-based auth -- if app review asks us, we'll point to the issue we filed with Apple as the reason we removed ASWebAuthenticationSession usage.

What do you think of this plan?

Is it an option to use ASWebAuthenticationSession for the App Store version, and "Loopback" for the out-of-store version?

Yes, that's an option. It makes the code a little complicated though. We can consider this if the above plan doesn't work.

It sounds weird that client certification auth doesn't work only with ASWebAuthenticationSession but otherwise works with Safari. I assume that the certificate is installed in the keychain, so it should work in both cases the same way. Let's test this and make sure this is indeed the case. If we do find that this is the case, that's probably big enough for us to ditch ASWebAuthenticationSession. Then let's file an issue with Apple and submit an update with localhost-server-based auth -- if app review asks us, we'll point to the issue we filed with Apple as the reason we removed ASWebAuthenticationSession usage. What do you think of this plan? > Is it an option to use ASWebAuthenticationSession for the App Store version, and "Loopback" for the out-of-store version? Yes, that's an option. It makes the code a little complicated though. We can consider this if the above plan doesn't work.

It sounds weird that client certification auth doesn't work only with ASWebAuthenticationSession but otherwise works with Safari. I assume that the certificate is installed in the keychain, so it should work in both cases the same way. Let's test this and make sure this is indeed the case.

I just tested it, it is a bit tricky to set up and use... I imported a P12 in the "System" chain or however that is called (importing it in the "Local"/"User" chain didn't work, it gave an error without any details.

When using Safari it keeps asking for username and password (?) a bunch of times to "unlock" the client certificate, but it does work with ASWebAuthenticationSession as well. I don't know why it is so idiotic that it keeps asking for a username and password, without even prefilling the username.

image

I'm using the latest macOS 26.5 with Safari set as default browser.

> It sounds weird that client certification auth doesn't work only with ASWebAuthenticationSession but otherwise works with Safari. I assume that the certificate is installed in the keychain, so it should work in both cases the same way. Let's test this and make sure this is indeed the case. I just tested it, it is a bit tricky to set up and use... I imported a P12 in the "System" chain or however that is called (importing it in the "Local"/"User" chain didn't work, it gave an error without any details. When using Safari it keeps asking for username and password (?) a bunch of times to "unlock" the client certificate, but it *does* work with `ASWebAuthenticationSession` as well. I don't know why it is so idiotic that it keeps asking for a username and password, without even prefilling the username. ![image](/attachments/efba1e2a-0059-4654-9092-c26988ba9329) I'm using the latest macOS 26.5 with Safari set as default browser.
261 KiB

@fkooman wrote in #589 (comment):

It is not a new browser, it is "just" Safari without address bar. Why Apple decided that X.509 client certificate authentication shouldn't work when using Safari with ASWebAuthenticationSession is unclear to me. Maybe intentional, maybe a bug, who knows. Did you report this to Apple? Is there even a channel to report such things?

At this point I'm unsure how to proceed. There seem to be too many bugs everywhere, even with the browsers that implement ASWebAuthenticationSession 🤷

@roopc Any thoughts? How sure are we that Apple will still allow an app update without ASWebAuthenticationSession? Is it an option to use ASWebAuthenticationSession for the App Store version, and "Loopback" for the out-of-store version?

I suggest trying an update without ASWebAuthenticationSession through the App Store. If they reject, I propose to claim a file according to EU DSA that they misuse their position as a gatekeeper and put their own Browser in an advantageous situation.

@fkooman wrote in https://codeberg.org/eduVPN/apple/issues/589#issuecomment-14735517: > It is not a new browser, it is "just" Safari without address bar. Why Apple decided that X.509 client certificate authentication shouldn't work when using Safari with `ASWebAuthenticationSession` is unclear to me. Maybe intentional, maybe a bug, who knows. Did you report this to Apple? Is there even a channel to report such things? > > At this point I'm unsure how to proceed. There seem to be too many bugs everywhere, even with the browsers that implement `ASWebAuthenticationSession` :shrug: > > @roopc Any thoughts? How sure are we that Apple will still allow an app update without `ASWebAuthenticationSession`? Is it an option to use `ASWebAuthenticationSession` for the App Store version, and "Loopback" for the out-of-store version? I suggest trying an update without ASWebAuthenticationSession through the App Store. If they reject, I propose to claim a file according to EU DSA that they misuse their position as a gatekeeper and put their own Browser in an advantageous situation.
Sign in to join this conversation.
No Branch/Tag specified
master
use_common_api
issue_eduvpn_apple_527
developer_id_distribution
internal-3.0.4-i
debug/debug_block_local
bugfix/376
feature/tests
bump-versions
experimental
fix-swiftlint-warnings
redesign
mergetest
feature/289
use-gplv3-with-app-store-exception
release/2.1.7
tunnelkit_keep_tunnel_when_network_is_down
feature/254
feature/includeall
4.1.6
4.1.5
4.1.4
4.1.3
4.1.2
4.1.1
4.1.0
4.0.7
4.0.6
4.0.5
4.0.4
4.0.3
4.0.2
4.0.1
4.0.0
3.1.0
3.0.8
3.0.7
3.0.6
3.0.5
3.0.4
3.0.3
3.0.2
3.0.1
3.0.0
2.2.4
2.2.3
2.2.2
2.2.1
2.2.0
2.1.9
2.1.7
release/lets-connect-2.1.7-mac
release/lets-connect-2.1.7-ios
ios/v.2.0.1
ios/v2.0.2
ios/v2.0.3
ios/v2.0.4
ios/v2.1.1
mac/v2.1.1
v2.0.4
v2.0.2
v2.0.3
v2.0.0
v2.0.1
v1.0.0
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
7 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eduVPN/apple#589
Reference in a new issue
eduVPN/apple
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?