From 83acded15b8b30d78e680a6f194b4a29310eeb27 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 8 Mar 2026 17:54:01 +0100
Subject: [PATCH 1/3] update url

---
 ee/psso/PSSO/EnterpriseSSO.swift | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ee/psso/PSSO/EnterpriseSSO.swift b/ee/psso/PSSO/EnterpriseSSO.swift
index eb7cd7f4..652ad28b 100644
--- a/ee/psso/PSSO/EnterpriseSSO.swift
+++ b/ee/psso/PSSO/EnterpriseSSO.swift
@@ -4,9 +4,9 @@ import Bridge
 extension AuthenticationViewController: ASAuthorizationProviderExtensionAuthorizationRequestHandler
 {
 
-    static let ssoExtURLPath = "/endpoint/agent/apple_ssoext/"
-    static let queryChallenge = "challenge"
-    static let queryResponse = "response"
+    static let ssoExtURLPath = "/endpoints/agent/browser-backchannel/"
+    static let queryChallenge = "xak-agent-challenge"
+    static let queryResponse = "xak-agent-response"
 
     private func shouldSkip(request: ASAuthorizationProviderExtensionAuthorizationRequest) -> Bool {
         //        if !(request.loginManager?.isDeviceRegistered ?? false)

From 492b0645872f23a683c30798adde2bad019a97f4 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 8 Mar 2026 17:55:46 +0100
Subject: [PATCH 2/3] cleanup

---
 ee/psso/PSSO/EnterpriseSSO.swift | 44 ++------------------------------
 1 file changed, 2 insertions(+), 42 deletions(-)

diff --git a/ee/psso/PSSO/EnterpriseSSO.swift b/ee/psso/PSSO/EnterpriseSSO.swift
index 652ad28b..effa33b3 100644
--- a/ee/psso/PSSO/EnterpriseSSO.swift
+++ b/ee/psso/PSSO/EnterpriseSSO.swift
@@ -9,12 +9,7 @@ extension AuthenticationViewController: ASAuthorizationProviderExtensionAuthoriz
     static let queryResponse = "xak-agent-response"
 
     private func shouldSkip(request: ASAuthorizationProviderExtensionAuthorizationRequest) -> Bool {
-        //        if !(request.loginManager?.isDeviceRegistered ?? false)
-        //            || !(request.loginManager?.isUserRegistered ?? false)
-        //        {
-        //            self.logger.info("SSOE: Skipping due to unregistered user or device")
-        //            return true
-        //        }
+        // We specifically don't check for PSSO registration status as this functionality doesn't require PSSO
         let callerBundle = request.callerBundleIdentifier
         if let exclusions = request.extensionData["ExcludedApps"] as? [String],
             exclusions.contains(callerBundle)
@@ -26,21 +21,7 @@ extension AuthenticationViewController: ASAuthorizationProviderExtensionAuthoriz
             self.logger.info("SSOE: No login manager, skipping")
             return true
         }
-        //        guard let base = URL(string: config.BaseURL) else {
-        //            self.logger.info("SSOE: Unable to parse base URL")
-        //            return true
-        //        }
-        //        if request.url.scheme != base.scheme
-        //            || request.url
-        //                .host()
-        //                != base
-        //                .host()
-        //            || !request.url.path().starts(with: base.path())
-        //        {
-        //            self.logger.info("SSOE: Skipping due to mismatching base URL")
-        //            return true
-        //        }
-        if request.url.valueOf(AuthenticationViewController.queryResponse) == nil {
+        if request.url.valueOf(AuthenticationViewController.queryResponse) != nil {
             self.logger.info("SSOE: Skipping due to existing response")
             return true
         }
@@ -92,25 +73,4 @@ extension AuthenticationViewController: ASAuthorizationProviderExtensionAuthoriz
             }
         }
     }
-
-    private func injectSession(
-        with request: ASAuthorizationProviderExtensionAuthorizationRequest
-    ) -> Bool {
-        let sessionKey = request.loginManager?.ssoTokens?["session_key"]
-        if let sk = sessionKey as? String {
-            self.logger.debug("SSOE: Injecting session \(sk)")
-            let url = request.url.appending(queryItems: [URLQueryItem(name: "ak-ssoe", value: "1")])
-            let headers: [String: String] = [
-                "Location": url.absoluteString,
-                "Set-Cookie": "authentik_session=\(sk); Path=/; Secure; HttpOnly",
-            ]
-            if let response = HTTPURLResponse.init(
-                url: request.url, statusCode: 302, httpVersion: nil, headerFields: headers)
-            {
-                request.complete(httpResponse: response, httpBody: nil)
-                return true
-            }
-        }
-        return false
-    }
 }

From 45f3d3a94c18831557c509c8a8b538c2d3c5643c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 8 Mar 2026 18:03:59 +0100
Subject: [PATCH 3/3] specific implementation for macos and other :eyes:

---
 ee/psso/PSSO/EnterpriseSSO.swift | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ee/psso/PSSO/EnterpriseSSO.swift b/ee/psso/PSSO/EnterpriseSSO.swift
index effa33b3..04cba343 100644
--- a/ee/psso/PSSO/EnterpriseSSO.swift
+++ b/ee/psso/PSSO/EnterpriseSSO.swift
@@ -47,6 +47,12 @@ extension AuthenticationViewController: ASAuthorizationProviderExtensionAuthoriz
             request.doNotHandle()
             return
         }
+#if os(macOS)
+        return getSignedResponseMac(challenge: challenge, request: request)
+#endif
+    }
+
+    public func getSignedResponseMac(challenge: String, request: ASAuthorizationProviderExtensionAuthorizationRequest) {
         Task {
             do {
                 let header = try await SysdBridge.shared.platformSignedEndpointHeader(