Hybrid login flow using Cordova+Auth0 Web SSO


I’m developing a Cordova app and would like to use Auth0 for SSO. But all the existing Auth0+Cordova examples for Cordova still reference inappbrowser plugin which is deprecated and now the latest Cordova version only supports WKWebView. Apple is also now rejecting any apps using inappbrowser plugin. Google also no longer supports SSO from embedded web views (hybrid apps) since that requires the user to actually login again and breaks the “user experience”.

So I decided to take a different route and I’m looking if there are any flaws in this SSO login flow, or if there are better ways to do this or any feedback in general.

Step 1: The Cordova app the queries my backend PHP server for a new UUID (several methods are available to create a UUID).
Step 2: In the Cordova app, the user clicks “SSO Login” which is a link to my server to start the Auth0 SSO process (same as would be in a regular web app). This link includes the UUID from Step 1. When clicked, the link opens up in the default mobile browser (not as a web view in the app).
Step 3: The server then starts a PHP_Session for the user and stores the UUID in a database (along with IP address and some other tracking info).
Step 4: The Auth0 process is then called normally via: $auth0->login();
Step 5: The user logs in via SSO normally
Step 6: Upon successful login the callback page on the server in called, and the $auth0->getUser(); information is stored (or updated) in the user database using the UUID stored in the session variable.
Step 7. As soon as the user clicked the login link in Step 2, the Cordova app goes into a loop checking the server every 2 seconds with the UUID to check for successful login from SSO. This runs for 60 seconds basically waiting for the SSO to complete. If no successful login is detected, the login fails. But when a successful login is detected, the loop stops and captures the (encrypted) user info from the server.
Step 8: The callback page on the server shows successful login and displays a CUSTOM-URL-SCHEME link to bring the user back to the app where the app shows the user as now logged in.
Step 8: Cleanup. UUID is purged from the database.

This might seem like a lot of steps, but it’s actually very simple and works great so far. Also, I can control and modify the entire SSO login process without changing or updating the app code since it’s all server side using well established Auth0 web login procedures. It also makes the Cordova app quite a bit simpler since the SSO is happening in a regular web browser.



Any thoughts or comments from the Auth0 team?