openid · MiuraKairi · Dec 5, 2024
diff --git a/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.h b/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.h
@@ -43,8 +43,8 @@ API_UNAVAILABLE(macCatalyst)
     @discussion The specific authentication UI used depends on the iOS version and accessibility
         options. iOS 8 uses the system browser, iOS 9-10 use @c SFSafariViewController, iOS 11 uses
         @c SFAuthenticationSession
-        (unless Guided Access is on which does not work) or uses @c SFSafariViewController, and iOS
-        12+ uses @c ASWebAuthenticationSession (unless Guided Access is on).
+        (unless Guided Access or Assistive Access is on which does not work) or uses @c SFSafariViewController, and iOS
+        12+ uses @c ASWebAuthenticationSession (unless Guided Access or Assistive Access is on).
  */
 - (nullable instancetype)initWithPresentingViewController:
     (UIViewController *)presentingViewController
@@ -54,7 +54,7 @@ API_UNAVAILABLE(macCatalyst)
     @param presentingViewController The view controller from which to present the browser.
     @param prefersEphemeralSession Whether the caller prefers to use a private authentication
         session. See @c ASWebAuthenticationSession.prefersEphemeralWebBrowserSession for more.
-    @discussion Authentication is performed with @c ASWebAuthenticationSession (unless Guided Access
+    @discussion Authentication is performed with @c ASWebAuthenticationSession (unless Guided Access or Assistive Access
         is on), setting the ephemerality based on the argument.
  */
 - (nullable instancetype)initWithPresentingViewController:

diff --git a/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.m b/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.m
@@ -24,6 +24,7 @@
 
 #import <SafariServices/SafariServices.h>
 #import <AuthenticationServices/AuthenticationServices.h>
+#import <Accessibility/Accessibility.h>
 
 #import "OIDErrorUtilities.h"
 #import "OIDExternalUserAgentSession.h"
@@ -100,8 +101,12 @@ - (BOOL)presentExternalUserAgentRequest:(id<OIDExternalUserAgentRequest>)request
 
   // iOS 12 and later, use ASWebAuthenticationSession
   if (@available(iOS 12.0, *)) {
-    // ASWebAuthenticationSession doesn't work with guided access (rdar://40809553)
-    if (!UIAccessibilityIsGuidedAccessEnabled()) {
+    BOOL assistiveAccessEnabled = NO;
+    if (@available(iOS 18.0, *)) {
+      assistiveAccessEnabled = AXAssistiveAccessEnabled();
+    }
+    // ASWebAuthenticationSession doesn't work with guided access (rdar://40809553) or assistive access
+    if (!UIAccessibilityIsGuidedAccessEnabled() && !assistiveAccessEnabled) {
       __weak OIDExternalUserAgentIOS *weakSelf = self;
       NSString *redirectScheme = request.redirectScheme;
       ASWebAuthenticationSession *authenticationVC =
@@ -136,32 +141,38 @@ - (BOOL)presentExternalUserAgentRequest:(id<OIDExternalUserAgentRequest>)request
   }
   // iOS 11, use SFAuthenticationSession
   if (@available(iOS 11.0, *)) {
-    // SFAuthenticationSession doesn't work with guided access (rdar://40809553)
-    if (!openedUserAgent && !UIAccessibilityIsGuidedAccessEnabled()) {
-      __weak OIDExternalUserAgentIOS *weakSelf = self;
-      NSString *redirectScheme = request.redirectScheme;
-      SFAuthenticationSession *authenticationVC =
-          [[SFAuthenticationSession alloc] initWithURL:requestURL
-                                     callbackURLScheme:redirectScheme
-                                     completionHandler:^(NSURL * _Nullable callbackURL,
-                                                         NSError * _Nullable error) {
-        __strong OIDExternalUserAgentIOS *strongSelf = weakSelf;
-        if (!strongSelf) {
-            return;
-        }
-        strongSelf->_authenticationVC = nil;
-        if (callbackURL) {
-          [strongSelf->_session resumeExternalUserAgentFlowWithURL:callbackURL];
-        } else {
-          NSError *safariError =
-              [OIDErrorUtilities errorWithCode:OIDErrorCodeUserCanceledAuthorizationFlow
-                               underlyingError:error
-                                   description:@"User cancelled."];
-          [strongSelf->_session failExternalUserAgentFlowWithError:safariError];
-        }
-      }];
-      _authenticationVC = authenticationVC;
-      openedUserAgent = [authenticationVC start];
+    if (!openedUserAgent) {
+      BOOL assistiveAccessEnabled = NO;
+      if (@available(iOS 18.0, *)) {
+        assistiveAccessEnabled = AXAssistiveAccessEnabled();
+      }
+      // SFAuthenticationSession doesn't work with guided access (rdar://40809553) or assistive access
+      if (!UIAccessibilityIsGuidedAccessEnabled() && !assistiveAccessEnabled) {
+        __weak OIDExternalUserAgentIOS *weakSelf = self;
+        NSString *redirectScheme = request.redirectScheme;
+        SFAuthenticationSession *authenticationVC =
+            [[SFAuthenticationSession alloc] initWithURL:requestURL
+                                       callbackURLScheme:redirectScheme
+                                       completionHandler:^(NSURL * _Nullable callbackURL,
+                                                           NSError * _Nullable error) {
+          __strong OIDExternalUserAgentIOS *strongSelf = weakSelf;
+          if (!strongSelf) {
+              return;
+          }
+          strongSelf->_authenticationVC = nil;
+          if (callbackURL) {
+            [strongSelf->_session resumeExternalUserAgentFlowWithURL:callbackURL];
+          } else {
+            NSError *safariError =
+                [OIDErrorUtilities errorWithCode:OIDErrorCodeUserCanceledAuthorizationFlow
+                                 underlyingError:error
+                                     description:@"User cancelled."];
+            [strongSelf->_session failExternalUserAgentFlowWithError:safariError];
+          }
+        }];
+        _authenticationVC = authenticationVC;
+        openedUserAgent = [authenticationVC start];
+      }
     }
   }
   // iOS 9 and 10, use SFSafariViewController