We have a requirement in our product to allow users to access a web app in the browser seamlessly from our native mobile application. Currently, our mobile app uses Embedded login and the Resource Owner Password Credentials (ROPC) Grant flow, where the user provides their credentials to obtain a JWT token, which is then used to access our mobile backend APIs. We can not pass this same JWT token to Web browser due to security concerns.
We would like your guidance on implementing a secure and seamless SSO mechanism for users navigating from the native app to the web app in browser without requiring relogin.
Specifically:
Does Auth0 provide any built-in functionality for Native to Web SSO that could meet this requirement? If not, could you recommend an approach or best practices for implementing a secure solution?
We want to implement a nonce authentication pattern, where a mobile app will get the one-time short-lived token from Auth0 using the JWT token, and pass that one-time token as a query string parameter in the URL, Web App should be able to authenticate/authorize the user using the short-lived one-time token. Is it feasible to implement using Auth0?
In general, we do not recommend using Embedded Login or Resource Owner Password Grant flow unless there are highly trusted clients and no other options.
For Native apps to work with SSO, we recommend using the New Universal Login experience. You can learn more about it in the following documentation:
Our app currently uses embedded login. Is there a way to implement SSO while using this method?
We are considering implementing universal login in the future. However, until that is in place, we need to roll out our release, which requires Native App-Web (Browser) SSO using embedded login.
