I have a question regarding the consistency of user sessions between our (1) native app, and (2) web app accessed through (1)'s in-app browser.
Currently, we have a native app and a web app, both share the same user base and auth server.
The native app uses refresh tokens to manage user sessions, which are set to a year.
Within the native app, a few features utilize an in-app browser (webview) to access the web app’s frontend. This webview, by default, shares the same session cookies as the default browser, which is set to only 1 week long.
The issue we have right now is, the native app’s user can only access these features (of the web app) through the webview (without having to log in again) if/when the session of the browser is valid, which is meant to be shorter than the native app’s session. When the browser’s session expired, users will be redirected to log in again in the webview.
Is there a way to make the sessions of the web app accessed through the webview in the native app be dictated by the native app’s session, instead of the browser’s session cookies? (So the users don’t have to log in again in the webview as long as the native app’s session is still valid)
The goal is not SSO, but to have the native app and the web app accessed through its webview share the same session (1 year) while keeping the web app accessed through the browser have a separate session (1 week).
One workaround we’re considering is to pass the access token from the native app to the web app each time it accesses it through the webview (as below), so the web app (in the webview) can use this to suffice the authguard.
Does anyone know if this implementation is possible?
And if yes, what kind of concerns should we have?