Reuse token to authenticate user when opening default browser from mobile app

We have a native mobile app where we authenticate the user against Auth0 to retrieve a token.
Is it possible to reuse this token to authenticate the user in a web app that is opened in the default browser from the mobile app? So that the user doesn’t have to log into first the mobile app and then the web app.
When opening the browser, we are unable to set headers (bearer token) and can only specify the URL to open in the browser.
We could accomplish this using a WebView, but does anyone know of a way to achieve this with the default browser?

Hi @MartyParty

I have put this exact proposal to the Auth0 security team, and they were very emphatic about not reusing tokens this way. It is not a good idea.

To do what you want, use a redirect flow in the mobile app using the full web browser on the mobile device, not a webview. This will set Auth0’s session cookie, and then the web app on the mobile device will share the same session.

John

Thanks for investigating. Could you elaborate on why it is not a good idea?
Would it be okay from the mobile app to open the full web browser, redirect the user to the web application with the token as parameter and then use this token/parameter to authenticate the user? Or should we redirect to an Auth0 endpoint rather than the web application? If yes, what Auth0 endpoint to use?

@MartyParty

Basically, any time you use a token for any purpose other than the intended one, it is dangerous. It increases attack surface, and puts you outside the well trodden path, so you are in not throrougly understood area.

If you use the redirect flow I suggested, you get this for free.

John