Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSO approach for native mobile app with web views?

So the standard SSO approach for native mobile apps (both Android and iOS) appears to be OAUth2 + OpenID Connect via the AppAuth library.

That's all well and good -- and actually seems to approach elegance.

But what if the very same app contains embedded web view component(s) which need to access resources using the same SSO (on the same server in the same web apps as the native code where all resources require authentication for access)?

For starters, OAuth2 access tokens (once acquired) are not automatically propagated to , , etc, hyperlink requests within a web app, right? So do the web app pages themselves really have to be reworked with JavaScript to do such propagation? The mobile app can rewrite the requests to address this, but:

  1. At least on Android this only applies to GET requests (right?)
  2. More critically, this assumes the web app does not need to function in a normal browser client

Is OAuth2 not the right approach here? If so, that seems a shame -- as AppAuth seems pretty nice for the native app side of things. It's just blending basic web view browsing into the picture that really makes a mess of things.

Or is there just some de facto standard JavaScript library that one can mix in with Angular or the like (and then require use of Angular or the like)?

like image 266
Jess Holle Avatar asked Jul 18 '17 22:07

Jess Holle


People also ask

How does SSO work with mobile apps?

Single sign-on (SSO) allows a user to sign in once and get access to other applications without re-entering credentials. This makes accessing apps easier and eliminates the need for users to remember long lists of usernames and passwords. Implementing it in your app makes accessing and using your app easier.

What is native SSO?

About the Native SSO feature SSO between browser-based web applications is achieved by leveraging shared cookies. Unlike web applications, native applications can't use web cookies. Okta offers a token-based approach to achieve SSO between native applications.

What is App2app authentication?

App2app is a mechanism that allows mobile apps performing OAuth2 or OpenID Connect based authentication to offer a much simpler faster flow if the user already has an app provided by the authorization server owner installed on their mobile device.


1 Answers

Lead maintainer for AppAuth here. There is not a standard approach, yet, to what you are describing. The OAuth2 for Native Apps BCP at the IETF takes steps in the right direction (and inspired AppAuth) but doesn't cover how to synchronize authentication state between apps and sites - this is left as an exercise to the reader.

If your main concern is a consistent authentication state between an app and it's associated site in the user's browser, the best approach is typically to delegate authentication to the site, via a custom tab on Android or SFSVC / SFAuthenticationSession on iOS. The authentication would be managed by the site, and once complete, the authentication state can be shared back to the app via a custom scheme or app link / universal link.

Where embedded WebView is concerned, the opposite applies - seed the webview's perspective of the site from the app, as the webview's state will not persist while the app's state should.

I wish there was a better, more standardized solution to this and will work towards it, but for now bespoke, per-service solutions are all that is practical.

like image 72
iainmcgin Avatar answered Oct 16 '22 14:10

iainmcgin