Share credentials between native app and web site

Question

An application I'm working on allows users to log into an OAuth-enabled backend. The application is therefore privy only to the authentication tokens and user metadata, not to the user's credentials.

Within the application, users can hit links that open up links in a browser. These resources are also protected by OAuth, and the token obtained during login to the native app is also relevant to the web.

I would like the user's credentials to flow from the native app to the web browser in the standard OAuth manner (by including it as an Authorization header).

It seems that Android facilitates this through its shared credentials feature, but I cannot find an equivalent for iOS. I did find the shared web credentials feature, but that seems to require knowledge of the user's credentials.

How can I flow OAuth tokens from my native app through to web browsers that it opens?

Answer 1

Associated Domains and Shared Web Credentials don't seem to be a good approach here.

You have two options:

1. Passing the OAuth Access Token as URL-QueryString-Param to the WebBrowser. https://x.y.z/?access_token=abc You'll have to manipulate the embedded URLs and assure that your backend understands this. Very common and easy approach. Many websites like Facebook and Google are passing Access Tokens in the URL.
2. If you're using In-App-Browsers (UIWebView, WKWebView), you can intercept the URL-Request and add the Authorization Header on your own. See this for UIWebView and this for WKWebView (which is little bit harder than UIWebView)

Answer 2

Technically, you could just include the token in the URI you pass to the browser.

But this would be insecure:

Injection of access tokens

An additional (and very dangerous) threat occurs when clients accept access tokens from sources other than the return call from the token endpoint. This can occur for a client that uses the implicit flow (where the token is passed directly as a parameter in the URL hash) and don't properly use the OAuth state parameter. This issue can also occur if different parts of an application pass the access token between components in order to "share" access among them. This is problematic because it opens up a place for access tokens to potentially be injected into an application by an outside party (and potentially leak outside of the application). If the client application does not validate the access token through some mechanism, it has no way of differentiating between a valid token and an attack token.

(Source: https://oauth.net/articles/authentication/)

It is also forbidden in the specification:

Access token credentials (as well as any confidential access token attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued.

(Source: https://www.rfc-editor.org/rfc/rfc6749#section-10.3)

So instead, you could try using an alternative OAuth flow, called "Authorization Code Flow", where instead of passing the token to the browser, the app passes a special code, which the browser then uses to obtain a token from the server.

However, your use case isn't exactly what this mechanism was created for, so I'm not sure using it to accomplish what you're after would be in line with the specification.