Fixing silent iOS auth failure with PKCE

This one cost us two days.

The symptom

Supabase auth works perfectly on web and Android. On iOS, users tap "Sign in with Google" and... nothing happens. No error. No callback. The WebView just sits there.

The root cause

iOS WKWebView has strict security policies around cross-origin redirects. The standard OAuth flow redirects to Supabase's callback URL, which then redirects back to the app. iOS blocks the second redirect silently.

The fix: PKCE

PKCE (Proof Key for Code Exchange) changes the flow. Instead of relying on redirects, the client generates a code verifier, sends a code challenge to the auth provider, and exchanges the authorization code directly. No cross-origin redirect chain.

const { data, error } = await supabase.auth.signInWithOAuth({
  provider: "google",
  options: {
    skipBrowserRedirect: true,
    redirectTo: "mymuaythai://auth/callback",
    queryParams: {
      access_type: "offline",
      prompt: "consent",
    },
  },
});

The lesson

Always test auth flows on physical iOS devices, not just simulators. And if you're using Supabase Auth with React Native, enable PKCE from day one — don't wait until you discover the silent failure in production.