How to share JWT Tokens across Multiple Applications (Web / Mobile) when using identity server 3.0 and oAuth 2.0

Question

We have a Secure Token server built on Identity Server 3.0 that manages security across, multiple applications both Single Page and Native Mobile applications. And there are resource server(s) (a RESTful API that needs to be accessed by the aforesaid applications). Mobile application gives a summarised view of the Client information where as user need to navigate to the Single Page application to get the complete view of the client.

At present the mobile application (Cordova) retrieves client information summary from the resource server through Resource Owner Client Credential Grant and displays List of Client information in the Form of a Grid in the Cordova App.

The requirement now is to open the Client Details information (Details View) in the single page application (AngularJS) without making the user login again. At this point the mobile app possesses a token that can access the resource server (scope).

The problem now is how to pass the token we have to the Single Page application (AngularJS) without sending it (the token) in the URL. Could some please shed some light on what is the best possible way to handle the scenario?

Answer 1

Make sure all your platform share the same "secret"

Answer 2

What you need is a Single Sign-On (SSO) behavior among two applications. But there is an issue with the current flow you use.

As you are currently using Resource Owner Client Credential Grant, you are not using the end user login of identity server. Instead, I believe you obtain end user credentials from mobile app and invoke token endpoint to obtain tokens.

From OAuth/OpenID Connect perspective, SSO is implemented on top of browser cookies. How it works ?

1. App A follow a flow that utilize front channel login (ex:-
Authorization code flow with PKCE)
2. End user is present with login page of Identity Server
3. App A completes the flow and obtain tokens
4. App B use a flow utilize front channel login
4. Identity server get login request and see cookies which correlate previously logged in user
5. Because of cookies, log in page is skipped and optionally consent page will be  showed
6. App B completes the flow and obtain tokens

This is how SSO works and as you can see it require browser involvement. And I think this is the right way to solve the issue.

Also, from OAuth/OpenID Connect principals, client is discouraged to obtain end user credentials. Your client flow is okay if application is privileged or cannot use browser involvement (source).