I need some help on a scenario I need to implement.
My users are using mobiles apps (iOS & Android). They have the access token and the id token.
They can also login to a web app and navigate through it.
In a specific scenario, I want to take my user from the mobile app to a specific page of the web app via a webview. My question is, is it possible to skip the login page in the webview, and take my users to the web app page authenticated ? Can i use the id token/access token via a param url to silently login and access the web app in the web view ? What are the best pratices here ?
Firstly, let me mention that passing in the ID token or access token via a query parameter is highly risky, as bad actors can intercept the token and gain access. Therefore, this is strongly not recommended.
Now, on iOS and Android, ASWebAuthenticationSession and Chrome Custom Tabs are the recommended components for web-based login. They share the global cookie jar (unlike WebViews), enabling seamless SSO if a browser session exists. However, these cookies cannot be shared with WebViews.
Additionally, there’s no built-in way to share the session with a WebView. For strict business cases, you could inject an access token into the WebView, allowing the web application to call APIs without re-authenticating the user.
This approach is highly sensitive and prone to security risks if not thoroughly vetted. To explore this solution and determine its suitability, we recommend consulting Auth0’s Professional Services team.