Reuse token to authenticate user when opening default browser from mobile app

We have a native mobile app where we authenticate the user against Auth0 to retrieve a token.
Is it possible to reuse this token to authenticate the user in a web app that is opened in the default browser from the mobile app? So that the user doesn’t have to log into first the mobile app and then the web app.
When opening the browser, we are unable to set headers (bearer token) and can only specify the URL to open in the browser.
We could accomplish this using a WebView, but does anyone know of a way to achieve this with the default browser?

Hi @MartyParty

I have put this exact proposal to the Auth0 security team, and they were very emphatic about not reusing tokens this way. It is not a good idea.

To do what you want, use a redirect flow in the mobile app using the full web browser on the mobile device, not a webview. This will set Auth0’s session cookie, and then the web app on the mobile device will share the same session.

John

Thanks for investigating. Could you elaborate on why it is not a good idea?
Would it be okay from the mobile app to open the full web browser, redirect the user to the web application with the token as parameter and then use this token/parameter to authenticate the user? Or should we redirect to an Auth0 endpoint rather than the web application? If yes, what Auth0 endpoint to use?

@MartyParty

Basically, any time you use a token for any purpose other than the intended one, it is dangerous. It increases attack surface, and puts you outside the well trodden path, so you are in not throrougly understood area.

If you use the redirect flow I suggested, you get this for free.

John

@john.gateley Thanks for the information. If I understand your redirection login flow properly, it wouldn’t work if we are using a WebView in our native app. Any workaround to avoid login in both the app and the WebView? My initial thought was to share the token/cookies from the App to the WebView directly.

Any @john.gateley suggestions?
We have the same @felix.db 's scenarios, and we would like to share the credentials between the mobile app and embedded WebViews.
Any way to achieve it?

Hi @giordano.scalzo

The best way to achieve this is to use Auth0’s universal login page with Auth Code + PKCE flow. Then you get SSO between the mobile app and the web app. I am not sure about the embedded webviews having access to the cookie jar, that is required.

John

1 Like