App rejected from iOS App Store due to AuthSession

#1

Hi, I am using AuthSession feature to login users to my app and they rejected in the App store with the following message:

Guideline 3.1.4 - Business - Payments - Content Codes

Your app unlocks or enables additional functionality with mechanisms such as promo codes, data transfer codes, license keys, augmented reality markers, or QR codes, which is not appropriate for the App Store.

Guideline 4.0 - Design

We noticed that the user is taken to Safari to sign in or register for an account, which provides a poor user experience.

Next Steps

To resolve this issue, please revise your app to enable users to sign in or register for an account in the app.

We recommend implementing the Safari View Controller API to display web content within your app. The Safari View Controller allows the display of a URL and inspection of the certificate from an embedded browser in an app so that customers can verify the webpage URL and SSL certificate to confirm they are entering their sign in credentials into a legitimate page.

Resources

For additional information on the Safari View Controller API, please review the What’s New in Safari webpage.

Do you know how I can fix this issue, is the AuthSession not allowed in iOS to be used?
Thanks

0 Likes

#2

Hey there, I’m sorry to hear that you ran into some trouble with Apple.

Expo’s AuthSession API on iOS only ever opens only ever opens SFSafariAuthenticationSession or SFSafariViewController. It does not redirect the user to another app. Are you sure you’re using AuthSession correctly?

0 Likes

#3

Hi, yes I am actually using the Auth0 example as is, without any change and it,s getting rejected with that message.

Thanks for the help

0 Likes

#4

Hi, sorry to even be asking but is it possible to just show the exact code being used? Like it being invoked as well.

0 Likes

#5

Sure, the code I am running when the user click the sign in button is this

  signIn = async () => {
    const { t } = this.props;
    const auth0ClientId = getConfigKey("auth0ClientId");
    const auth0Domain = getConfigKey("auth0Domain");
    const auth0Audience = getConfigKey("auth0ApiAudience");
    const redirectUrl = AuthSession.getRedirectUrl();
    const result = await AuthSession.startAsync({
      authUrl: `https://${auth0Domain}/authorize` + toQueryString({
        client_id: auth0ClientId,
        response_type: 'code',
        scope: 'openid profile email offline_access',
        redirect_uri: redirectUrl,
        lockType: "email",
        audience: auth0Audience
      }),
    });
    if (result.type === "success") {
      this.props.login({ ...result.params, redirect_uri: redirectUrl });
    } else {
      Alert.alert(t("common:error"), t("login:cancelledMessage"))
    }
  }
0 Likes

#6

Taking a step back, when you log in with your app (best to use a TestFlight build to more accurately see what the reviewer sees), does the Safari app open on your phone? As mentioned above, AuthSession should present only the native Safari View Controllers that Apple suggests, but they say your app opens the actual Safari app.

Additionally, regarding Guideline 3.1.4, does your app have promo codes, license keys, or something similar to what they’ve pointed out?

0 Likes

#7

The app opens the Safari View Controller I tested it in the simulator, I don’t know why they say is opening the safari browser.

My app does not have promo code/license keys,

The app is for a system where users should first receive a welcome email before allowed them to login to the app, either way I provide them with a email/password to review the app.

I just tried it in TestFlight and it works as expected.

0 Likes

#8

We don’t know why exactly your app was not accepted – only the Apple reviewer can tell you that – but if you believe your app conforms to the guidelines you can politely write back to them and ask them to look again.

AuthSession does use SFAuthenticationSession on iOS 11+ and SFSafariViewController on iOS 9 and 10, as Apple has recommended in that guideline. And promo codes to unlock functionality aren’t in the API, either, so with the current information (and the fact that other developers’ apps appear to be getting accepted) this is a better question to ask Apple.

0 Likes

#9

It seems they are rejecting my app because of the popup that appears when you press the login button, they provide me this screenshot http://a709.phobos.apple.com/us/r30/Purple118/v4/91/a9/8a/91a98a9b-dd97-7e1b-735d-bf2abc93d4c7/attachment-3129652749320184483Screenshot_0301_153010.png?downloadKey3=1520213280_b42eb3149e3e9b9316ad8f3af5271617

Is is possible to remove the popup, I ask them politely but I don’t have a clear response honestly, I don’t know what else to do.

Thanks again for all the help.

0 Likes

#10

That pop-up cannot be removed because it’s part of Apple’s own security model.

If an application uses SFAuthenticationSession, users are prompted by a dialog to give explicit consent, allowing the application to access the website’s data in Safari.

From: https://developer.apple.com/documentation/safariservices/sfauthenticationsession

0 Likes

#11

Thanks, they I will try to ask for a second review, thanks for all the help.

0 Likes

closed #12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

0 Likes