The integrated Swift OAuth flow opens Stack's /api/v1/auth/oauth/authorize/<provider> URL directly in ASWebAuthenticationSession:
https://github.com/hexclave/swift-sdk-prerelease/blob/784d1471552399b5ed4312bf485d2c011621c624/Sources/StackAuth/StackClientApp.swift#L144-L157
That request does not include stack_response_mode=json, so Stack backend treats it as the legacy browser redirect flow. In that mode the backend sets and later requires stack-oauth-inner-<state> on the provider callback:
https://github.com/hexclave/stack-auth/blob/d0202ee8b6d5c476b8e8b81cc66a02539f30dc01/apps/backend/src/app/api/latest/auth/oauth/authorize/%5Bprovider_id%5D/route.tsx#L166-L190
https://github.com/hexclave/stack-auth/blob/d0202ee8b6d5c476b8e8b81cc66a02539f30dc01/apps/backend/src/app/api/latest/auth/oauth/callback/%5Bprovider_id%5D/route.tsx#L116-L124
In native/iOS flows this can fail at the inner provider callback with:
Inner OAuth cookie not found. This is likely because you refreshed the page during the OAuth sign in process. Please try signing in again
Observed callback shape, with code redacted:
https://api.stack-auth.com/api/v1/auth/oauth/callback/google?state=<inner-state>&iss=https%3A%2F%2Faccounts.google.com&code=<redacted>&scope=...
The JS SDK avoids this by calling authorize with stack_response_mode=json, parsing the JSON { location }, and navigating to the returned provider URL:
https://github.com/hexclave/stack-auth/blob/d0202ee8b6d5c476b8e8b81cc66a02539f30dc01/packages/stack-shared/src/interface/client-interface.ts#L1418-L1420
Suggested fix for Swift: in signInWithOAuth, request the Stack authorize endpoint with stack_response_mode=json using URLSession, parse the location, then open that provider URL in ASWebAuthenticationSession. Do not simply append stack_response_mode=json to the URL currently opened by ASWebAuthenticationSession, because that would show the JSON response instead of navigating to Google/GitHub/etc.
The integrated Swift OAuth flow opens Stack's
/api/v1/auth/oauth/authorize/<provider>URL directly inASWebAuthenticationSession:https://github.com/hexclave/swift-sdk-prerelease/blob/784d1471552399b5ed4312bf485d2c011621c624/Sources/StackAuth/StackClientApp.swift#L144-L157
That request does not include
stack_response_mode=json, so Stack backend treats it as the legacy browser redirect flow. In that mode the backend sets and later requiresstack-oauth-inner-<state>on the provider callback:https://github.com/hexclave/stack-auth/blob/d0202ee8b6d5c476b8e8b81cc66a02539f30dc01/apps/backend/src/app/api/latest/auth/oauth/authorize/%5Bprovider_id%5D/route.tsx#L166-L190
https://github.com/hexclave/stack-auth/blob/d0202ee8b6d5c476b8e8b81cc66a02539f30dc01/apps/backend/src/app/api/latest/auth/oauth/callback/%5Bprovider_id%5D/route.tsx#L116-L124
In native/iOS flows this can fail at the inner provider callback with:
Inner OAuth cookie not found. This is likely because you refreshed the page during the OAuth sign in process. Please try signing in againObserved callback shape, with code redacted:
https://api.stack-auth.com/api/v1/auth/oauth/callback/google?state=<inner-state>&iss=https%3A%2F%2Faccounts.google.com&code=<redacted>&scope=...The JS SDK avoids this by calling authorize with
stack_response_mode=json, parsing the JSON{ location }, and navigating to the returned provider URL:https://github.com/hexclave/stack-auth/blob/d0202ee8b6d5c476b8e8b81cc66a02539f30dc01/packages/stack-shared/src/interface/client-interface.ts#L1418-L1420
Suggested fix for Swift: in
signInWithOAuth, request the Stack authorize endpoint withstack_response_mode=jsonusingURLSession, parse thelocation, then open that provider URL inASWebAuthenticationSession. Do not simply appendstack_response_mode=jsonto the URL currently opened byASWebAuthenticationSession, because that would show the JSON response instead of navigating to Google/GitHub/etc.