Skip to content

feat(supabase_flutter)!: use a system web auth session for OAuth, SSO and identity linking#1403

Draft
spydon wants to merge 1 commit into
v3from
feat/oauth-web-auth-session
Draft

feat(supabase_flutter)!: use a system web auth session for OAuth, SSO and identity linking#1403
spydon wants to merge 1 commit into
v3from
feat/oauth-web-auth-session

Conversation

@spydon

@spydon spydon commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

What

Move signInWithOAuth, signInWithSSO and linkIdentity off url_launcher and onto a native system web authentication session via flutter_web_auth_2:

  • iOS and macOS: ASWebAuthenticationSession
  • Android: Custom Tabs
  • Web: full page redirect of the current tab (unchanged behavior, now done via the web package)

The session captures the redirect to the redirectTo scheme, closes itself, and returns the callback URL, which is exchanged with getSessionFromUrl.

Addresses #1402. Fixes #1174.

Why

url_launcher's in-app browser does not dismiss itself when the OAuth redirect returns to the app, leaving the user on a blank page after a successful sign in (#1174). A system web auth session is OS owned, auto-dismisses, and hands the callback back to the caller, so it fixes the dismissal on every platform and lets the call resolve on completion.

Changes

  • Add flutter_web_auth_2; remove url_launcher as a direct dependency and the LaunchMode export.
  • Replace authScreenLaunchMode / launchMode with a preferEphemeral option.
  • Derive the callback scheme from redirectTo; forward host and path for https universal links.
  • Web redirect via a small conditional-import shim over package:web.
  • README updated with the required native config; new oauth_test.dart covering the native flow, preferEphemeral, https universal links, and the missing-redirectTo error.

Breaking changes

  • authScreenLaunchMode / launchMode removed; LaunchMode no longer exported.
  • Android apps must register the flutter_web_auth_2 CallbackActivity for their redirect scheme.
  • The OAuth callback no longer arrives through the app_links deep link handler (magic links, email confirmation and password recovery still do).

Status

Draft. flutter analyze and flutter test pass, but the native and desktop flows have not been verified on device yet. See the open questions in #1402 (forcing the external browser, the web popup vs redirect choice, dropping the Google on Android workaround, desktop callback model).

@spydon
feat(supabase_flutter)!: use a system web auth session for OAuth, SSO…
27cf97c 
… and identity linking

Route signInWithOAuth, signInWithSSO and linkIdentity through
flutter_web_auth_2 on native and desktop platforms, so the auth screen
runs in ASWebAuthenticationSession on Apple platforms and Custom Tabs on
Android. The session captures the redirect itself and closes
automatically, fixing the blank in-app browser that was left open after a
successful sign in (#1174). On web the current tab is redirected as before.

url_launcher is dropped as a direct dependency and the LaunchMode export
is removed. The authScreenLaunchMode/launchMode parameters are replaced by
a preferEphemeral option that maps to the web auth session.

BREAKING CHANGE: signInWithOAuth, signInWithSSO and linkIdentity no longer
accept authScreenLaunchMode/launchMode, and the LaunchMode export is
removed. Android apps must register the flutter_web_auth_2 CallbackActivity
for their redirect scheme. The OAuth callback no longer arrives through the
app_links deep link handler.
@spydon spydon mentioned this pull request Jun 12, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@spydon