I still don't quite get it.
As far as I understand it we should do https redirects instead of using custom url schemes because everyone could define the custom schemes into their apps. Why are then Apple's solutions SFAuthenticationSession(used before iOS 12), ASWebAuthenticationSession designed to use custom url schemes?
We have universal links enabled, so I thought it should be fairly easy to use a universal link. To test that I passed the https redirect to the ASWebAuthenticationSession and checked in the application:continueUserActivity:restorationHandler: callback in the app delegate for the redirect. It worked. Trying the same thing for the SFAuthenticationSession on iOS 11 on the other hand fails.
Am I overlooking something here? Isn't this really a security problem or am I listening at the wrong place to get the callback for the SFAuthenticationSession?