From 80eca0de480c68d2b05df1ad181e83a8a8b195bf Mon Sep 17 00:00:00 2001 From: Connor Callison Date: Wed, 4 Mar 2026 15:48:18 -0800 Subject: [PATCH] Handle TLS authentication challenges to fix Microsoft device compliance (#806) WKWebView rejects all authentication challenges by default when webView(_:didReceive:completionHandler:) is not implemented, using .rejectProtectionSpace. This silently breaks TLS client-certificate flows like Microsoft Entra ID Conditional Access, which verifies device compliance via a certificate stored in the system keychain by MDM enrollment. By implementing the delegate method and returning .performDefaultHandling, the system's standard URL-loading behaviour takes over: the keychain is searched for matching client identities, MDM-installed root CAs are trusted, and any configured SSO extensions (e.g. Microsoft Enterprise SSO) can intercept the challenge. Co-authored-by: Claude Opus 4.6 (1M context) --- Sources/Panels/BrowserPanel.swift | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/Sources/Panels/BrowserPanel.swift b/Sources/Panels/BrowserPanel.swift index 41da6553..00221bb9 100644 --- a/Sources/Panels/BrowserPanel.swift +++ b/Sources/Panels/BrowserPanel.swift @@ -3081,6 +3081,24 @@ private class BrowserNavigationDelegate: NSObject, WKNavigationDelegate { loadErrorPage(in: webView, failedURL: failedURL, error: nsError) } + func webView( + _ webView: WKWebView, + didReceive challenge: URLAuthenticationChallenge, + completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void + ) { + // WKWebView rejects all authentication challenges by default when this + // delegate method is not implemented (.rejectProtectionSpace). This + // breaks TLS client-certificate flows such as Microsoft Entra ID + // Conditional Access, which verifies device compliance via a client + // certificate stored in the system keychain by MDM enrollment. + // + // By returning .performDefaultHandling the system's standard URL-loading + // behaviour takes over: the keychain is searched for matching client + // identities, MDM-installed root CAs are trusted, and any configured SSO + // extensions (e.g. Microsoft Enterprise SSO) can intercept the challenge. + completionHandler(.performDefaultHandling, nil) + } + func webView(_ webView: WKWebView, webContentProcessDidTerminate: WKWebView) { NSLog("BrowserPanel web content process terminated, reloading") webView.reload()