Add support for passkeys on login#3996
Merged
marinofaggiana merged 6 commits intomasterfrom Feb 21, 2026
Merged
Conversation
Signed-off-by: Milen Pivchev <milen.pivchev@gmail.com>
This was referenced Feb 20, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR modernizes the iOS login flow by implementing ASWebAuthenticationSession for passkey support while maintaining a WKWebView fallback for mTLS certificate authentication. The change addresses multiple issues with WebAuthn, SAML authentication, and OIDC provider compatibility that were failing in the previous WKWebView-only implementation.
Changes:
- Refactored
NCLoginProviderfrom aUIViewControllerto anNSObjectthat manages authentication viaASWebAuthenticationSessionwith automatic fallback to WKWebView for mTLS - Extracted WKWebView functionality into a separate
NCLoginProviderWebViewFallbackview controller for certificate handling scenarios - Updated login flow initiators (
NCLoginandNCIntroViewController) to use the new authentication model
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 14 comments.
| File | Description |
|---|---|
| iOSClient/Login/NCLoginProvider.swift | Major refactoring to use ASWebAuthenticationSession as primary authentication method with WKWebView fallback; split into two classes for separation of concerns |
| iOSClient/Login/NCLogin.swift | Updated to instantiate and manage the new NCLoginProvider lifecycle with proper cleanup |
| Brand/Intro/NCIntroViewController.swift | Updated signup flow to use new NCLoginProvider authentication pattern |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
marinofaggiana
approved these changes
Feb 21, 2026
marinofaggiana
approved these changes
Feb 21, 2026
marinofaggiana
approved these changes
Feb 21, 2026
This was referenced Feb 24, 2026
tdhooghe
pushed a commit
to tdhooghe/swiftnextcloudui
that referenced
this pull request
Mar 8, 2026
WKWebView silently fails to complete cross-domain OIDC redirects (e.g. when Nextcloud delegates authentication to an external IdP like Authentik). The user authenticates successfully on the IdP side, but WKWebView drops the callback redirect back to the Nextcloud origin, leaving the login flow stuck in a polling loop that never resolves. ASWebAuthenticationSession uses the system browser which properly handles cross-domain redirects, passkeys, and deep links. Credentials continue to be obtained via the existing polling mechanism. macOS retains the WKWebView sheet since ASWebAuthenticationSession behaves differently on that platform and cross-domain redirects are less problematic there. Ref: nextcloud/ios#3996 (same fix applied to the main iOS app) Made-with: Cursor
5 tasks
tdhooghe
pushed a commit
to tdhooghe/swiftnextcloudui
that referenced
this pull request
Mar 8, 2026
WKWebView silently fails to complete cross-domain OIDC redirects (e.g. when Nextcloud delegates authentication to an external IdP like Authentik). The user authenticates successfully on the IdP side, but WKWebView drops the callback redirect back to the Nextcloud origin, leaving the login flow stuck in a polling loop that never resolves. Replace WKWebView with ASWebAuthenticationSession on iOS via a new LoginSheet view modifier that encapsulates the platform difference: - iOS: ASWebAuthenticationSession (system browser, handles OIDC/passkeys) - macOS: WKWebView sheet (unchanged behavior) ServerAddressView is now platform-agnostic — it just sets isPresented and the modifier does the right thing per platform. Credentials continue to be obtained via the host app's existing polling mechanism. Ref: nextcloud/ios#3996 (same fix applied to the main iOS app) Made-with: Cursor
tdhooghe
pushed a commit
to tdhooghe/swiftnextcloudui
that referenced
this pull request
Mar 8, 2026
WKWebView silently fails to complete cross-domain OIDC redirects (e.g. when Nextcloud delegates authentication to an external IdP like Authentik). The user authenticates successfully on the IdP side, but WKWebView drops the callback redirect back to the Nextcloud origin, leaving the login flow stuck in a polling loop that never resolves. Replace WKWebView with ASWebAuthenticationSession on iOS via a new LoginSheet view modifier that encapsulates the platform difference: - iOS: ASWebAuthenticationSession (system browser, handles OIDC/passkeys) - macOS: WKWebView sheet (unchanged behavior) ServerAddressView is now platform-agnostic — it just sets isPresented and the modifier does the right thing per platform. Credentials continue to be obtained via the host app's existing polling mechanism. Ref: nextcloud/ios#3996 (same fix applied to the main iOS app) Made-with: Cursor
tdhooghe
pushed a commit
to tdhooghe/swiftnextcloudui
that referenced
this pull request
Mar 8, 2026
WKWebView silently fails to complete cross-domain OIDC redirects (e.g. when Nextcloud delegates authentication to an external IdP like Authentik). The user authenticates successfully on the IdP side, but WKWebView drops the callback redirect back to the Nextcloud origin, leaving the login flow stuck in a polling loop that never resolves. Replace WKWebView with ASWebAuthenticationSession on iOS via a new LoginSheet view modifier that encapsulates the platform difference: - iOS: ASWebAuthenticationSession (system browser, handles OIDC/passkeys) - macOS: WKWebView sheet (unchanged behavior) ServerAddressView is now platform-agnostic — it just sets isPresented and the modifier does the right thing per platform. Credentials continue to be obtained via the host app's existing polling mechanism. Ref: nextcloud/ios#3996 (same fix applied to the main iOS app) Made-with: Cursor
tdhooghe
pushed a commit
to tdhooghe/swiftnextcloudui
that referenced
this pull request
Mar 8, 2026
WKWebView silently fails to complete cross-domain OIDC redirects (e.g. when Nextcloud delegates authentication to an external IdP like Authentik). The user authenticates successfully on the IdP side, but WKWebView drops the callback redirect back to the Nextcloud origin, leaving the login flow stuck in a polling loop that never resolves. Replace WKWebView with ASWebAuthenticationSession on iOS via a new LoginSheet view modifier that encapsulates the platform difference: - iOS: ASWebAuthenticationSession (system browser, handles OIDC/passkeys) - macOS: WKWebView sheet (unchanged behavior) ServerAddressView is now platform-agnostic — it just sets isPresented and the modifier does the right thing per platform. Credentials continue to be obtained via the host app's existing polling mechanism. Ref: nextcloud/ios#3996 (same fix applied to the main iOS app) Made-with: Cursor
tdhooghe
added a commit
to tdhooghe/swiftnextcloudui
that referenced
this pull request
Mar 8, 2026
WKWebView silently fails to complete cross-domain OIDC redirects (e.g. when Nextcloud delegates authentication to an external IdP like Authentik). The user authenticates successfully on the IdP side, but WKWebView drops the callback redirect back to the Nextcloud origin, leaving the login flow stuck in a polling loop that never resolves. Replace WKWebView with ASWebAuthenticationSession on iOS via a new LoginSheet view modifier that encapsulates the platform difference: - iOS: ASWebAuthenticationSession (system browser, handles OIDC/passkeys) - macOS: WKWebView sheet (unchanged behavior) ServerAddressView is now platform-agnostic — it just sets isPresented and the modifier does the right thing per platform. Credentials continue to be obtained via the host app's existing polling mechanism. Ref: nextcloud/ios#3996 (same fix applied to the main iOS app) Made-with: Cursor Signed-off-by: Thomas <61279337+tdhooghe@users.noreply.github.com> Made-with: Cursor
tdhooghe
added a commit
to tdhooghe/swiftnextcloudui
that referenced
this pull request
Mar 8, 2026
WKWebView silently fails to complete cross-domain OIDC redirects (e.g. when Nextcloud delegates authentication to an external IdP like Authentik). The user authenticates successfully on the IdP side, but WKWebView drops the callback redirect back to the Nextcloud origin, leaving the login flow stuck in a polling loop that never resolves. Replace WKWebView with ASWebAuthenticationSession on iOS via a new LoginSheet view modifier that encapsulates the platform difference: - iOS: ASWebAuthenticationSession (system browser, handles OIDC/passkeys) - macOS: WKWebView sheet (unchanged behavior) ServerAddressView is now platform-agnostic — it just sets isPresented and the modifier does the right thing per platform. Credentials continue to be obtained via the host app's existing polling mechanism. Ref: nextcloud/ios#3996 (same fix applied to the main iOS app) Signed-off-by: Thomas Dhooghe <61279337+tdhooghe@users.noreply.github.com> Made-with: Cursor
tdhooghe
added a commit
to tdhooghe/swiftnextcloudui
that referenced
this pull request
Mar 8, 2026
WKWebView silently fails to complete cross-domain OIDC redirects (e.g. when Nextcloud delegates authentication to an external IdP like Authentik). The user authenticates successfully on the IdP side, but WKWebView drops the callback redirect back to the Nextcloud origin, leaving the login flow stuck in a polling loop that never resolves. Replace WKWebView with ASWebAuthenticationSession on iOS via a new LoginSheet view modifier that encapsulates the platform difference: - iOS: ASWebAuthenticationSession (system browser, handles OIDC/passkeys) - macOS: WKWebView sheet (unchanged behavior) ServerAddressView is now platform-agnostic — it just sets isPresented and the modifier does the right thing per platform. Credentials continue to be obtained via the host app's existing polling mechanism. Ref: nextcloud/ios#3996 (same fix applied to the main iOS app) Signed-off-by: Thomas Dhooghe <61279337+tdhooghe@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Thanks to @UBaggeler for his original proposal: #3938
Implemented
ASWebAuthenticationSessionthat allows the use of passkeys on log in.Also potentially fixes "unsupported browser" issue.
Fixes:
#1645
#2901
#3636
#2300
and more.
WKWebView is still used as a fallback for mTLS importing: #3685 (WIP)