Are there any recommendations for how to use Auth0 in native mobile apps (SwiftUI) with API’s protected by AWS ALB authentication (integrated with the same Auth0 tenant)?
The challenge with integrating Auth0 OIDC into an AWS ALB via a Listener is the ALB returns a reference to the token (not the actual token) in a secure cookie usually called AWSELBAuthSessionCookie which cannot be referenced in a Webview and returned back to Swift. Even if the secure cookie were returned to Swift, that is not the actual token and cannot be used to exchange for an access token needed for APIs. Another option is to use the AWS API Gateway which allows for a totally custom Lambda authorizer but most devs cannot create a robust, secure aka good authorizer and the ones in AWS Blueprints needs a lot of work before it is production ready. The AWS API Gateway is also a shared service in an AWS account and AWS Cloudfront is the only WAF it supports. I’m disappointed with the available options in AWS.
Thank you for your response.
Having researched this topic quite a bit, I was surprised to find that there was no clear conventional solution for native apps authentication.
Returning AWSELBAuthSessionCookie cession id cookie from the WebView to Swift, could potentially be a solution, but even if it works, it feels like a hack. Auth0’s SDK clearly does not intend such use.
If I understand correctly, the intended design by Auth0 is that after the AuthN flow you get a JWT id token on the client, and then you add it to every request and validate it server side. Which AWS ALB does not do, so my already working AuthN setup would need to be thrown out.
I’m exploring API Gateway options (AWS one did not look too appealing)…