[macOS] ChatGPT MacOS application authentication does not launch in Firefox - Implement ASWebAuthenticationSessionWebBrowserSessionHandling in Firefox
Categories
(Core :: Widget: Cocoa, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox133 | --- | affected |
People
(Reporter: freshness, Unassigned)
References
Details
Attachments
(3 files)
MacOS Default Browser.jpg
STR:
- Download and launch ChatGPT MacOS application, Select "Log In"
- User is presented with a prompt to launch Safari
- Safari is launched, despite Firefox being set as default browser
The MacOS ChatGPT application uses ASWebAuthenticationSession [In macOS, the system opens the user’s default browser if it supports web authentication sessions, or Safari otherwise.]
OpenAI pointed me to this documentation and developer guide and referenced how Chromium does it.
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
Reporter | |
Comment 1•1 year ago
|
||
Thank you for the redirects and updates. Is ASWebAuthenticationSession currently on the roadmap (or riding the trains?)
This bug is preventing IT from greenlighting the use of the application for employee use.
|
|
||
Comment 2•1 year ago
|
||
It's not on any roadmap, as far as I am aware. This bug is the first time I've ever heard of this API.
|
|
Reporter | |
Comment 3•1 year ago
|
||
Thanks, Markus. Which API(s) do we currently support for web authentication with iOS and MacOS applications? Is there a standard that we could point their developers toward instead?
|
|
||
Comment 4•1 year ago
|
||
I'm not aware of any web authentication APIs we support - it seems like this would be the right one.
Apps which don't use ASWebAuthenticationSession probably just open a URL the normal way, as if a user had clicked a link. In other words, "the old way" should work fine. If I understand the documentation correctly, it looks like the main benefit of using ASWebAuthenticationSession in an app is the fact that you get a callback when the authentication is finished, whereas with "the old way" you would need to register your app as a protocol handler and have the authentication website open a URL with your custom protocol.
|
||
Comment 5•1 year ago
•
|
||
Just to reiterate the issue, the ChatGPT app is using ASWebAuthenticationSession to authenticate users with its web service. This opens a browser session with the default browser unless ASWebAuthenticationSession is not supported in the default browser. In that case, macOS falls back to Safari per the docs and matching the behavior seen here. Once Firefox supports ASWebAuthenticationSession, the authentication should open in Firefox without any changes in ChatGPT.
This bug is preventing IT from greenlighting the use of the application for employee use.
Until Firefox supports ASWebAuthenticationSession, it looks like our options are
- Relax the restriction and allow Safari to be used to login in this case. If the ChatGPT app uses the
prefersEphemeralWebBrowserSessionoption, then Safari shouldn't be saving any logins or session cookies when it is used to login to ChatGPT. That is the documented behavior of Safari when a ephemeral session is used. Safari might prompt to save the password, but that's true for Firefox too. - Use the web version of ChatGPT only.
- Request the ChatGPT app be changed to use a regular web page authentication method which would allow it work with Firefox or any browser but requires development work on their end.
A user benefit for supporting ASWebAuthenticationSession is that non-prefersEphemeralWebBrowserSession sessions could re-use login credentials already saved in Firefox making the login smoother for Firefox users.
|
||
Comment 6•8 months ago
|
||
I also ran into this issue. A few details that might help:
-
This is reproducible with Slack as well. When I set Firefox as the default browser, the login still falls back to Safari. But if I set Chrome as the default browser, authentication works correctly through Chrome.
-
Apple’s documentation on Supporting Single Sign-On in a Web Browser App seems directly related. The observed behavior matches the note:
“If the default browser doesn’t handle authentication requests, the system falls back on Safari.”
It looks like Firefox is currently missing support for theASWebAuthenticationSessionWebBrowserSessionHandlingprotocol. -
Adding support would benefit users:
- Better security (ASWebAuthenticationSession is the recommended secure SSO API).
- Ephemeral browsing support (optional, but recommended).
- A smoother user experience: no confusing jump into Safari when Firefox is the default browser.
-
This would also benefit Firefox itself, by ensuring users don’t get forced into Safari for app-based SSO flows.
Thanks for considering!
|
||
Comment 7•6 months ago
|
||
Hello, just wanted to add that this impacts Evernote as well, and probably many other applications. De facto, this forces every Firefox user on Mac to rely on Safari for authenticating on apps.
Hello,
Apple is pushing App developers to use "ASWebAuthenticationSessionWebBrowserSessionHandling".
In the eduVPN app review process we got a complaint our macOS App isn't using it (yet).
Guideline 4.0 - Design
The user is taken to the default web browser to sign in or register for an account, which provides a poor user experience.
Next Steps
It is acceptable to take users to the default web browser for some sign in or account registration options if ASWebAuthenticationSession is used for the session. If the app already uses this instance, reply to App Review in App Store Connect and confirm the app uses ASWebAuthenticationSession.
So it would be appreciated if Firefox could support this in future. For users it is a weird experience Safari is opening, when FireFox is the default browser on macOS.
Sorry for the bad formatting of my previous posting (it seems I can't correct it)
|
|
||
Comment 10•2 months ago
|
||
Proof-of-concept implementation. Ephemeral sessions are implemented using
containers and private browsing windows. Supports cold-launch where
Firefox is not already running when the third-party application starts
an authentication.
To test the functionality with a third-party application, 1) Firefox must be
signed using production entitlements (a macOS development cert can be used)
and 2) there should be just one instance of Firefox on the system with the same
bundle ID. For example, to test with a Nightly build, confirm there is only one
instance of the org.mozilla.nightly bundle ID by running
mdfind "kMDItemCFBundleIdentifier == 'org.mozilla.nightly'".
And then removing any other builds or installations.
So far, tested with ChatGPT, Evernote, included tests, and a local test suite.
|
||
Comment 11•15 days ago
|
||
It would be much appreciated to get this implemented at short notice. As mentioned before, for instance also eduVPN (the VPN application deployed by many universities across Europe) now seems to require ASWebAuthenticationSession, ignoring Firefox as a default browser since their most recent upgrade. Thus, any student and teacher on MacOS is expected to face this issue on a daily basis.
I clearly see two risks here: if people are forced to sign in through Safari / Chrome, they might just stick to that browser as default browser. In additon, for those investing time into why this switch has happened, it might create a feeling that Mozilla is behind with regard to development. Both is probably not what we want, in particular when seeing academic users as multiplicators for open source.
|
|
||
Comment 12•15 days ago
|
||
... on the other hand: if Apple enforces ASWebAuthenticationSession, it might be interesting if they misuse their power as gatekeeper according tu EU DMA..
|
||
Comment 13•11 days ago
|
||
Description
•