Much like this previous community post (Sharing authentication between native app & two websites), we are trying to provide SSO for our mobile native applications & web SPAs (using Auth0 of course) like so:
A user can open then log into native-app1, and then on the same device open native-app2 and be automatically logged in (SSO’d)
A user can navigate to app1.mycompany.com using their mobile device’s default browser, login, and then open native-app1 and be automatically logged in (SSO’d)
A user can open then log into native-app1, and then on the same device navigate to app1.mycompany.com using their mobile device’s default browser, and be automatically logged in (SSO’d)
We have already achieved SSO between our web SPAs (on a single device) and this works well
We already having achieved ‘forever login’ using Auth0 (via Refresh tokens) for our native apps (iOS & Android) and this works well, but does not provide SSO whatsoever
We believe that our ‘SSO goals’ above could be effectively achieved for our Android-native apps <-> web SPAs.
We have been led to believe so far (both by reading and by direct experience) that we cannot achieve our ‘SSO goals’ above for our iOS apps, because of the prompt behavior that results from using iOS’ ASWebAuthenticationSession class as part of navigating a user to our (auth0) Hosted Login Page. (see this issue in the ‘AppAuth-iOS’ Github repo here as a background: https://github.com/openid/AppAuth-iOS/issues/120)
Specifically with iOS, if/when we try to achieve SSO by calling the /authorize API (via Auth0.swift cocoa pod, 1.14.1) to silently retrieve a fresh access_token (via appending the query param “prompt=none”), the user receives a ‘double prompt’ whereby they see this OS dialog twice, thus having a pretty terrible experience:
" ‘AppName’ Wants to use ‘mycompany.com’ to Sign In"
They see this >1 times, because the (native iOS) app, using the ‘ASWebAuthenticationSession’ class (via Auth0.swift), must make >1 HTTP calls to our Auth0 service endpoint to allow the user to visit our Hosted Login Page, as part of an SSO flow. (first to try to get an access_token for an existing SSO session, second to take then to the HLP if no existing session)
So, this post is really just a check-in to ask these questions:
Does anyone reading this post know of any existing way to circumvent this prompt appearing >1 times?
Do you Auth0, have any plans to allow us to only call Auth0 via the ‘ASWebAuthenticationSession’ class 1 time to get a fresh access_token via SSO or receive back our HLP if no existing SSO session? (e.g. allowing us to pass ‘prompt=onlyIfNeeded’)
Has Apple made any hints that they may be changing how this prompt behavior works in order to facilitate achieving SSO for native (iOS) apps? (i.e. allowing one prompt to cover >1 HTTP requests?)
Does anyone know of a viable, alternative method for achieving SSO (using OAuth2/OIDC) for a native iOS app besides how we are trying to achieve it? (effectively, we are trying to accomplish SSO in the same way that we have already achieved it amongst our web SPAs)