OAuth 2.0 (Complex)

Enable secure OAuth authentication flows for iOS devices using the native Safari View Controller with the Despia SDK, following Apple's UX guidelines for in-app authentication.

WE ARE WORKING ON MAKING OAUTH EASIER TO SETUP FOR NON-TECHNICAL USERS - THIS INTEGRATION IS FOR ADVANCED USERS

AI Prompt
AI Prompt

Add OAuth authentication functionality to my app using the Despia SDK from: https://www.npmjs.com/package/despia-native

First, install the package: npm install despia-native

Then import it: import despia from 'despia-native'

For Android devices, use the standard browser OAuth flow. No special handling is required. Android's external deeplinkable browser is directly available in the app, allowing easy exit back into the app via App Links. Simply configure App Links via your assetlinks.json file to enable seamless return to the app after authentication. You can learn more about Android deeplinking here: https://npm.despia.com/default-guide/native-features/deeplinking\

FOR THE WEB VERSION FOLLOW YOUR OWN BEST PRACTICES AND MEMORY 100% - NO DO NOT ADJUST HOW YOUR WOULD DO THE FLOW AT ALL!

NOTE: When using Supabase or other backend tools, use their own provided redirect URLs available for their web version or Android, such as: https://myapp.supabase.co/auth/v1/callback

Also, for the iOS version, on the /oauth/callback/ios callback page, exchange the OAuth token for a real session token - not another OAuth refresh token. This should be the token that will be set as a cookie.

Never uri encode the “url” parameter value, keep it as is like “https://example.com” - encoding will crash the app.

Also make siure that whne your call despia("safariviewcontroller://?url=https://accounts.google.com/o/oauth2/v2/auth?client_id=YOUR_CLIENT_ID&redirect_uri=https://yourapp.com/oauth/callback/ios&response_type=code&scope=email") that the url= value has a ? as the first query parameter and not a & - as it’s it’s own url value, missing this will cause the flow to break due to parsing errors.

When working with OAuth flows, make sure that redirects only happen after the necessary APIs have successfully finished running to avoid redirect errors or blank pages—code needs to run chronologically.

For iOS devices, Apple does not support App Links the same way Android does. To exit the Safari View Controller and return to the main Despia webview, you need a callback page that opens your app's deeplink scheme like: myapp://?link=https://myapp.com/oauth/callback?access_token={TOKEN}

Important: Only trigger the iOS OAuth flow if the user agent includes despia combined with iphone or ipad. ONLY THEN call the despia() function to start the iOS OAuth process.

Define your deeplink scheme and detect iOS Despia environment:

// Replace "myapp" with your deeplink scheme found in Despia project under Publish settings, near Bundle ID
const DEEPLINK_NAME = "myapp";

function isDespiaiOS() {
  const ua = navigator.userAgent.toLowerCase();
  return ua.includes('despia') && (ua.includes('iphone') || ua.includes('ipad'));
}

Start iOS OAuth with Safari View Controller:

if (isDespiaiOS()) {
  despia("safariviewcontroller://?url=https://accounts.google.com/o/oauth2/v2/auth?client_id=YOUR_CLIENT_ID&redirect_uri=https://yourapp.com/oauth/callback/ios&response_type=code&scope=email");
}

This opens the native in-app tab browser for OAuth, which is iOS OAuth best practices. While you could open it in Safari directly, this will cause App Store rejection due to Apple's UX guidelines.

iOS requires a dedicated /oauth/callback/ios page only for the iOS callback when using OAuth flows with Safari View Controller. This page will be the callback/redirect URI registered with your OAuth provider. This is an additional redirect URI that you must whitelist specifically for the iOS OAuth process.

After the iOS native OAuth process completes, the provider redirects to /oauth/callback/ios still inside the Safari View Controller (in-app tab). This callback page displays a spinner, takes the query parameters from your OAuth provider, exchanges them on your backend for an actual access token from your auth system, and then opens the deeplink to return to the main webview while closing the Safari View Controller.

iOS Callback Page (/oauth/callback/ios) example:

// Replace "myapp" with your deeplink scheme found in Despia project under Publish settings, near Bundle ID
const DEEPLINK_NAME = "myapp";

async function handleiOSCallback() {
  const params = new URLSearchParams(window.location.search);
  const code = params.get('code');
  
  // Exchange code for access token via your backend
  const response = await fetch('/api/auth/exchange', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ code })
  });
  
  const { access_token } = await response.json();
  
  // Exit Safari View Controller and open main webview callback
  window.location.href = `${DEEPLINK_NAME}://?link=https://myapp.com/oauth/callback?access_token=${access_token}`;
}

handleiOSCallback();

Summary: For the iOS native flow, you have 2 callback pages. The first one (/oauth/callback/ios) is a helper page that exits the in-app Safari View Controller and exchanges the authorization code for an access token. When it calls the deeplink, that redirects in the main webview (after closing the Safari View Controller) to open the standard callback page, which then sets the auth cookie and logs the user in.

Find your app's deeplink scheme in your Despia project under Publish settings, located near the Bundle ID.

This feature requires native capabilities which will be fully provided by the "despia-native" npm package, no additional native libraries are needed!

Please follow the installation instructions for the "despia-native" npm package closely, and do not modify my instructions. Implementation as mentioned is critical.

How it works

Despia acts as a bridge between your web app and native authentication. The OAuth implementation differs between Android and iOS due to platform-specific requirements.

Android Setup

Android devices can use the standard browser OAuth flow with no special handling required.

Android's App Links system allows the external browser to redirect directly back into your app after authentication. Simply configure your assetlinks.json file to enable this seamless flow:

  1. Use standard browser redirect for OAuth (window.location.href = oauthUrl)

  2. Configure your App Links in the assetlinks.json file hosted at https://yourapp.com/.well-known/assetlinks.json

  3. Register your standard callback URL (e.g., https://yourapp.com/oauth/callback) with your OAuth provider

That's it—no deeplink schemes or special callback pages needed for Android.

iOS Setup

iOS requires a special flow using Safari View Controller.

Apple does not support App Links the same way Android does. Additionally, Apple's UX guidelines require OAuth flows to use the Safari View Controller (an in-app browser tab) rather than redirecting to Safari—violating this causes App Store rejection.

To exit the Safari View Controller and return to your main app webview, you must use your app's custom URL scheme deeplink.

Find your app's deeplink scheme in your Despia project under Publish settings, located near the Bundle ID. Your deeplink scheme will look like: com.yourcompany.yourapp:// or a custom scheme like yourappname://

Installation

Install the Despia package from NPM:

npm install despia-native

Usage

1. Import the SDK

import despia from 'despia-native';

2. Define Your App Deeplink Scheme

// Find this in your Despia project under Publish settings, near Bundle ID
const APP_DEEPLINK_SCHEME = 'myapp://';
const APP_BASE_URL = 'https://yourapp.com';

3. Detect iOS Despia Environment

Before initiating OAuth, check if the user is on an iOS device within the Despia app:

function isDespiaiOS() {
  const ua = navigator.userAgent.toLowerCase();
  return ua.includes('despia') && (ua.includes('iphone') || ua.includes('ipad'));
}

4. Initiate OAuth Flow

Call the despia() function with a Safari View Controller URL only for iOS devices:

function startOAuth() {
  const oauthUrl = `https://accounts.google.com/o/oauth2/v2/auth?client_id=YOUR_CLIENT_ID&redirect_uri=${encodeURIComponent(APP_BASE_URL + '/oauth/callback/ios')}&response_type=code&scope=email profile`;
  
  if (isDespiaiOS()) {
    // iOS: Use Safari View Controller
    despia(`safariviewcontroller://?url=${oauthUrl}`);
  } else {
    // Android/Web: Use standard browser redirect
    window.location.href = oauthUrl.replace('/oauth/callback/ios', '/oauth/callback');
  }
}

iOS OAuth Flow Architecture

The iOS OAuth flow requires two callback pages working together:

┌─────────────────────────────────────────────────────────────────────────┐
│  1. User taps "Sign In"                                                 │
│     ↓                                                                   │
│  2. despia("safariviewcontroller://?url=https://oauth-provider.com")    │
│     ↓                                                                   │
│  3. Safari View Controller opens (in-app browser tab)                   │
│     ↓                                                                   │
│  4. User authenticates with OAuth provider                              │
│     ↓                                                                   │
│  5. Provider redirects to /oauth/callback/ios (still in Safari VC)      │
│     ↓                                                                   │
│  6. Callback page exchanges code for access token via backend           │
│     ↓                                                                   │
│  7. Page triggers deeplink: {app-scheme}://?link=https://app.com/...    │
│     ↓                                                                   │
│  8. Safari View Controller closes, main webview opens callback URL      │
│     ↓                                                                   │
│  9. Main webview callback sets auth cookie, user is logged in           │
└─────────────────────────────────────────────────────────────────────────┘

Callback Pages Setup

iOS Callback Page (/oauth/callback/ios)

This helper page runs inside the Safari View Controller. It exchanges the authorization code for an access token, then triggers a deeplink to exit back to the main app:

<!-- /oauth/callback/ios -->
<html>
<body>
  <div class="spinner">Completing sign in...</div>
  <script>
    // Find this in your Despia project under Publish settings, near Bundle ID
    const APP_DEEPLINK_SCHEME = 'com.yourcompany.yourapp://';
    const APP_BASE_URL = 'https://yourapp.com';
    
    async function handleCallback() {
      // Get authorization code from URL
      const params = new URLSearchParams(window.location.search);
      const code = params.get('code');
      
      // Exchange code for access token via your backend
      const response = await fetch('/api/auth/exchange', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({ code })
      });
      
      const { access_token } = await response.json();
      
      // Exit Safari View Controller and open main webview callback
      window.location.href = `${APP_DEEPLINK_SCHEME}?link=${APP_BASE_URL}/oauth/callback?access_token=${access_token}`;
    }
    
    handleCallback();
  </script>
</body>
</html>

Main Callback Page (/oauth/callback)

This page runs in the main app webview after the Safari View Controller closes. It sets the authentication cookie and completes the login:

// /oauth/callback
function completeLogin() {
  const params = new URLSearchParams(window.location.search);
  const accessToken = params.get('access_token');
  
  if (accessToken) {
    // Set authentication cookie or store token
    document.cookie = `auth_token=${accessToken}; path=/; secure; samesite=strict`;
    
    // Redirect to authenticated area
    window.location.href = '/dashboard';
  }
}

completeLogin();

OAuth Provider Configuration

You must register two redirect URIs with your OAuth provider:

Platform

Redirect URI

Purpose

iOS

https://yourapp.com/oauth/callback/ios

Safari View Controller callback

Android/Web

https://yourapp.com/oauth/callback

Standard browser callback

URL Parameters

Safari View Controller URLs use this format:

Parameter

Description

url

The full OAuth provider authorization URL (must be URL-encoded)

Deeplink return URLs use this format:

Parameter

Description

link

The full callback URL to open in the main webview after closing Safari View Controller

Platform Support

Platform

OAuth Method

Requirements

iOS (iPhone, iPad)

Safari View Controller via Despia

Deeplink scheme (from Publish settings), /oauth/callback/ios page

Android

Standard browser redirect

App Links via assetlinks.json

Web

Standard browser redirect

None

Important Notes

  • Apple UX Guidelines: Using Safari directly instead of Safari View Controller will cause App Store rejection. Always use safariviewcontroller:// for iOS OAuth.

  • User Agent Detection: Only trigger the iOS flow when the user agent contains both "despia" AND ("iphone" OR "ipad").

  • Deeplink Scheme: Find your app's deeplink scheme in your Despia project under Publish settings, located near the Bundle ID.

  • Whitelist Redirect URIs: Remember to whitelist the iOS-specific callback URL with every OAuth provider you integrate.

Resources

Integration

This SDK is optimized for prompt-based AI builders, enabling quick integration of native OAuth features via minimal JavaScript into your generated apps.

Need Help?

For additional support or questions, please contact our support team at support@despia.com

Updated on
Offline Apps
CDN Setup