I’m trying to implement Single Sign On, between a website (an SPA to be exact) and a PhoneGap App that uses the Auth0-Cordova plugin. I have ‘Enable seamless SSO’ enabled on my tenants dashboard.
Both the website and App use the Hosted Login page. On the App the Hosted login page gets initiated via the Auth0-Cordova plugin (GitHub - auth0/auth0-cordova: Auth0 integration for Cordova apps), which I understand uses Safari View Controller for displaying the HLP.
My main use case is:
User launches App
User logs in via Auth0-Cordova plugin (and therefore the Hosted Login page)
There are a couple of buttons on the App, that if clicked launch the website in Safari View Controller.
User should NOT have to enter credentials again
Access token can be used to get data from resource server/api
On Android and iOS versions 9/10 this is working perfectly, as the cookie set on step 2 has persisted and the HLP works out we are already logged in.
However on iOS 11 and 12 the user sees the log in screen again on the website as the previous login was not remembered.
Does this seem related to the reduced cookie sharing ability between SafariViewController instances on iOS 11+? If so, I don’t understand how AFAuthenticationSession (iOS 12) or SFAuthenticationSession (iOS 11) would fit into this flow when using the Auth0-Cordova plugin.
The only other approach I can think of is ignoring the SSO approach and simply sharing the Access token from the App with the SPA (by passing it in the QueryString of the URL passed to SafariViewController), but really not happy with this approach for obvious reasons… would also have issues in that the token is short lived and passing the Refresh token too seems like a bad idea!
Indeed, the behavior you are seeing now is the result of Apple’s decision to isolate cookies in the SFSafariViewController.
The auth0-cordoba package should be updated to ASWebAuthenticationSession (iOS 12+) or SFAuthenticationSession (iOS 11) to comply with Apple’s recommendations to get SSO across applications and Safari (standalone). I saw that you opened a GH issue for that, which is a great initiative.
Unfortunately, like you say in the GH issue, just upgrading auth0-cordova to support the recommended authentication methods won’t help in your scenario if you keep using the Safari View Controller, as this class will, by design, create a completely isolated sandbox for browsing, meaning that the session cokkie previously created in your Auth0 domain won’t be available.
In sum, if you want SSO in iOS 11+, all the participants need to use ASWebAuthenticationSession or SFAuthenticationSession or the standalone Safari browser, as they all share the same session cookies.
I would stay away from any attempt of sharing the tokens between the apps. If you open your web app to accept any token that it didn’t request in the first place, you would be opening the doors for a CSRF login vulnerability. So, definitely, not recommended.
Thanks for the info, it’s good to get confirmation that I was understanding the issue correctly.
I’m still not sure what approach I’m going to take though to get this working; forking and updating the Auth0-Cordova package myself seems a little out of my comfort zone, especially considering time frames I have, but based on the repo activity it seems unlikely anyone else will be doing it anytime soon.