I was wondering and try to find a solution to open webview inside mobile application with the same authentication session or same users without any user interaction.
Now I was already implemented login for mobile with Oauth but if I have no idea to implement like the mentioned above with correctly solution.
I have some solution not sure is it the best practice and good for security.
- I will generate authorize url with a new client different from mobile app for the button in app but in this case, have a chance to allow the user login with a different account if the user doesn’t know that. It will make a mismatch between mobile and webview.
- I will pass id_token instead and let webview validate id_token with a public key if valid force login for webview.
FYI, I have implemented OIDC, too but not I can use it to support this case or not?