Redirect to URL with custom scheme fails on mobile Safari (Vaadin 8)

Kari2 · August 28, 2018, 12:13pm

We have an OpenID Connect Provider authentication application implemented with Vaadin 8.5.1. A part of what it does is redirect the user back to the relying party’s return URL. That URL might be for a mobile app, which has registered a custom scheme, such as myapp://callback.

Redirecting to a custom scheme works fine on Android with Chrome using any of the techniques we’ve tried. An Android app will open correctly.

But redirecting on Safari on an iPhone to an iOS app seems to fail every time.

We’ve tried every kind of redirect technique we could think of, even chaining multiple redirects together. It seems like Safari blocks the redirect if it was initiated from a Vaadin app. The only way to get the mobile app to open is to create a clickable link and have the user click it manually. This of course isn’t acceptable, since the final URL is dynamically generated after the user has authenticated.

Some of the techniques we’ve tried:

Page.getCurrent().open(url, null);
Page.getCurrent().open(url, "_blank");
Page.getCurrent().setLocation(url);
setLocation() to a servlet that responds with status 302 and location header: (HttpServlet.sendRedirect)
setLocation() to a servlet which generates a page with a Javascript redirect script: <script type="text/javascript">setTimeout("location.href = '%s';",5000);
setLocation() to a servlet which generates a page with meta-refresh element in the head
setLocation() to a servlet which generates a page with a clickable link, and javascript which clicks the link after a delay
setLocation() to a completely external page that redirects with a 302 response

The Safari browser just doesn’t do anything when it comes time to open the mobile app.

If we try to run the servlet manually (not from the Vaadin app, but entering the servlet URL directly to the browser) then the redirects work correctly in Safari and the app opens.

If we redirect to any normal HTTP/HTTPS URL, the redirect works on Safari correctly. The issue is therefore only with custom URL schemes.

The code to our Vaadin test app: https://pastebin.com/HJcCEFQj and to the servlet: https://pastebin.com/U6SLyWvV

Has anyone here tried something like this?

mmlopez · August 31, 2018, 7:02pm

Hi Antti!

There is a technique using an iframe mentioned [in this post]
(https://stackoverflow.com/a/22861457/2593728), that you might want to give a try.

Regards!

Kari25 · August 31, 2018, 7:13pm

Hola Martín!
Thanks a lot! We’re gonna try this out and let you know…
Quite strange “corner case”.
We’ll be back!
-kari

Tatu2 · August 31, 2018, 7:15pm

It is interesting behavior, I did some brief research, and it looks like window.open() Javascript call is in these cases blocked in Safari / iOS.

https://stackoverflow.com/questions/40362093/safari-window-open-doesnt-work

https://stackoverflow.com/questions/45569893/javascript-window-open-issue-in-safari

https://stackoverflow.com/questions/5649962/ipad-safari-popup

What I assume is working is Link, i.e. <a href ...> anchor tag with _blank target.

Please correct me if I am wrong.

Kari25 · August 31, 2018, 7:25pm

I do appreciate your effort! Will test and come back…
BR, Kari

Kari2 · September 3, 2018, 7:58am

Thanks for the suggestions.

Unfortunately using a BrowserFrame (iframe) did not work either.

Again using it worked fine with Android/Chrome (the app opened) and failed to do anything IOS/Safari (browser just displayed an empty iframe).

// Replace UI content with an iframe
BrowserFrame frame = new BrowserFrame("BrowserFrame", new ExternalResource(urlField.getValue()));
frame.setSizeFull();
setContent(frame);