How to do SSO between iOS app and React SPA in same organization?

nick1 · August 8, 2017, 1:44am

I would like to use Lock for iOS/Swift in my iphone application to allow the user to log in, and then seamlessly authenticate with my React SPA.

Currently I have login setup independently for the iOS and React applications, however some of the pages in the React website are embedded in the iOS app via a webview. I need a way to authenticate with the React website once I log into the iOS app, so that when the user navigates to the webview they aren’t prompted for login.

Is what I am describing SSO? Basically I am confused on which endpoints to call (if any). All of these applications are part of my organization.

Note: The reason the React SPA is necessary is because a small part of the IOS app will embed the website instead of creating the views in native code.

![alt text][1]

Abhishek_Hingnikar1 · August 9, 2017, 10:12am

I am terribly sorry that it took so long in getting back to you, and the inconvienience you have had so far.

Your scenario is pretty standard. However, this will impose using the hosted login page to login to the swift application. The details of what this imposes along with the pros and cons are documented at https://auth0.com/docs/tutorials/browser-based-vs-native-experience-on-mobile

Here is how the integration would work, in an ideal scenario where the applications are different and your SPA is actually living in a separate website in Safari View Controller / Chrome Custom Tabs (Embedded browser tab) or needs a server side session (Wordpress Website etc) or you have no access to the application living inside the webview and its conceptually a different app.

The user arrives to your app. Your app sees no session and initiates login using the WebAuth method in the iOS / Swift SDK. At this point your application will get a refresh_token which the app use to keep the user logged in.
The user then goes to the webview say https://foo.com/ at this point foo.com will notice that there is no session that it has for the user, therefore it will redirect to Auth0 with prompt=noneoptimistically (using the renewAuth method in Auth0.js).
Auth0 will then see the user’s session and immediately respond with a token for the webview. The webview can now show the user the required session.

This flow is documented in great detail at Configure Silent Authentication. The above is under the assumption that the webview is being opened in the same browser (say safari view controller, which is the recommended way of doing it in applications).

If however, that is not the case and you have lower level access to the webview say you can pass a token to the webview directly, as they are conceptually the same application which just have different presentation layers. In that case you can call a javascript api exposed in your javascript application from your native code and just pass an access token with limited access to the react webview which is going to be used for the specific view only.