We have React application where we use Auth0 to manage authentication. Authentication process is handled by
@auth0/auth0-react library with refresh tokens.
To provide a better user experience, we would like to retain the authentication session when user clicks on the [Open in app] button on the website so they don’t need to enter credentials manually in the desktop app.
In the current implementation, when the user clicks that button, we send him to
/authorize endpoint which will redirect back to our application with the
code provided. Then we transfer the given code to the desktop app along with the transaction session object so we can issue a new OAuth token in the desktop application.
There are two issues with the given approach:
- We extract transaction object from web session storage and give it to a desktop app. That’s needed for getting
code_verifierdata for issuing a new token on a desktop app. Which is quite a dirty approach and not part of a public interface of the
@auth0/auth-reactlibrary we use.
- When a user clicks the [Open in app] button, we send him first to the
/authorizeendpoint and then opening the app which hurts UX a bit. Would be great to open the app directly by clicking the button while having auth session persist.
Is there a better way to approach that problem? Can we loosen the auth0 requirements of issuing new tokens so we can do that much simpler? Might be JWT can be helpful here?