Need Suggestion on accessing Web App in browser from Native iOS and Android App

We have a requirement in our product to allow users to access a web app in the browser seamlessly from our native mobile application. Currently, our mobile app uses Embedded login and the Resource Owner Password Credentials (ROPC) Grant flow, where the user provides their credentials to obtain a JWT token, which is then used to access our mobile backend APIs. We can not pass this same JWT token to Web browser due to security concerns.

We would like your guidance on implementing a secure and seamless SSO mechanism for users navigating from the native app to the web app in browser without requiring relogin.

Specifically:

  • Does Auth0 provide any built-in functionality for Native to Web SSO that could meet this requirement? If not, could you recommend an approach or best practices for implementing a secure solution?

  • We want to implement a nonce authentication pattern, where a mobile app will get the one-time short-lived token from Auth0 using the JWT token, and pass that one-time token as a query string parameter in the URL, Web App should be able to authenticate/authorize the user using the short-lived one-time token. Is it feasible to implement using Auth0?

Thank you for your assistance.

Hi @sumjash,

In general, we do not recommend using Embedded Login or Resource Owner Password Grant flow unless there are highly trusted clients and no other options.

For Native apps to work with SSO, we recommend using the New Universal Login experience. You can learn more about it in the following documentation:

Additionally, you should use the Authorization Code Flow with Proof Key for Code Exchange (PKCE) over the Resource Owner Password Grant flow. This way, you prevent any potential security risks that come from using ROPG with a low-trust public client.

We have a sample Native quickstart app that you can reference to build your app:

Let us know if you have any questions.

Thanks,
Rueben

Thank you, @rueben.tiow , for your response.

Our app currently uses embedded login. Is there a way to implement SSO while using this method?

We are considering implementing universal login in the future. However, until that is in place, we need to roll out our release, which requires Native App-Web (Browser) SSO using embedded login.

Hi @sumjash,

Thanks for the reply.

We strongly recommend implementing SSO with the Universal Login. See screenshot below:


(Reference: Centralized Universal Login vs. Embedded Login)

Using SSO with Embedded Login introduces security risks that can cause your app to be vulnerable to attacks.

However, if you decide to proceed with this, you could use Refresh Token Rotation to accomplish SSO.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.