My app uses 2FA as part of its login process. The 2FA system sends a URL callback to the app when it completes indicating success or failure. Suddenly, on devices running iOS 17.2, the behavior surrounding this callback has changed.
The URL callback is received by the AppDelegate's application(_ app: UIApplication, open url: URL, options: [UIApplication.OpenURLOptionsKey : Any] = [:]) method, and in iOS 17.1 and previous that happened whether the app was in the foreground or background. On iOS 17.2, however, that method only gets called if the app is in the foreground. If it is in the background it is not called and a message is output to the console containing this error:
Failed to open URL [2FA callback url]. The request to open [app bundle id] failed. The request was denied by service delegate (SBMainWorkspace) for reason: Security ("Application [app bundle id] is neither visible nor entitled, so may not perform un-trusted user actions").
Since most users background the app to open the 2FA app, this is the more likely scenario. The 2FA callback URL is listed in URL Types in Project Info. Is there some step I need to make the app entitled to receive the 2FA callback?