Use regular browser tab for auth on macOS

[jamilbk]

Unfortunately Firefox on macOS doesn't support the WebAuthenticationSession API used to perform secure sandboxed auth. This is the API Apple recommends using for secure auth on macOS and works well with Chrome and Safari.

However, Firefox users are left with the inconvenience of having to authenticate using another browser, which can be annoying if the user relies on the Firefox password vault.

The risk of implementing this for the App Store distributed client is that it can be rejected by Apple.

Related: #7071

[klochowicz]

related: #11458

[thomaseizinger]

The risk of implementing this for the App Store distributed client is that it can be rejected by Apple.

Could we implement a toggle, which API to use and make it only active in the standalone client? I imagine the variability in the codepaths wouldn't be that big.

[jamilbk]

The risk of implementing this for the App Store distributed client is that it can be rejected by Apple.

Could we implement a toggle, which API to use and make it only active in the standalone client? I imagine the variability in the codepaths wouldn't be that big.

A feature flag or admin-controlled MDM setting might work better for this. Standalone vs app store is not a good determinator because App Store distribution is still easier with some MDMs (e.g. Kandji via Blueprints) and I know some of our largest customers do it this way.

[jamilbk]

Yeah, thinking about this a little more, a simple MDM-controlled feature flag would be a good fit for this -- i.e. nativeBrowserAuth = true which defaults to false. After feedback we can try our luck defaulting it to true.