I’m trying to implement Single Sign On, between a website (an SPA to be exact) and a PhoneGap App that uses the Auth0-Cordova plugin. I have ‘Enable seamless SSO’ enabled on my tenants dashboard.
Both the website and App use the Hosted Login page. On the App the Hosted login page gets initiated via the Auth0-Cordova plugin (https://github.com/auth0/auth0-cordova), which I understand uses Safari View Controller for displaying the HLP.
My main use case is:
- User launches App
- User logs in via Auth0-Cordova plugin (and therefore the Hosted Login page)
- There are a couple of buttons on the App, that if clicked launch the website in Safari View Controller.
- User should NOT have to enter credentials again
- Access token can be used to get data from resource server/api
On Android and iOS versions 9/10 this is working perfectly, as the cookie set on step 2 has persisted and the HLP works out we are already logged in.
However on iOS 11 and 12 the user sees the log in screen again on the website as the previous login was not remembered.
Does this seem related to the reduced cookie sharing ability between SafariViewController instances on iOS 11+? If so, I don’t understand how AFAuthenticationSession (iOS 12) or SFAuthenticationSession (iOS 11) would fit into this flow when using the Auth0-Cordova plugin.
The only other approach I can think of is ignoring the SSO approach and simply sharing the Access token from the App with the SPA (by passing it in the QueryString of the URL passed to SafariViewController), but really not happy with this approach for obvious reasons… would also have issues in that the token is short lived and passing the Refresh token too seems like a bad idea!
Any help would be appreciated