Why do you need to use universal login to achieve SSO with mobile apps, but not with web apps?

I am reading this article about Universal vs Embedded Login: https://auth0.com/docs/guides/login/universal-vs-embedded.
It says “If you are working with mobile apps you cannot have SSO unless you use Universal Login. With web apps you can.”
Why is this? Why are you able to achieve SSO with web apps with embedded login, whereas with mobile apps you need to use universal login?

Hi @gabe1,

I think this is answered later on in the doc.

" Mobile Apps & Security : According to the Best Current Practice for OAuth 2.0 for Native Apps Request For Comments, only external user agents (such as the browser) should be used by native applications for authentication flows. Using the browser to make native app authorization requests results in better security and it gives users the confidence that they are entering credentials in the right domain. It also enables use of the user’s current authentication state, making Single Sign-on (SSO) possible. Embedded user agents are deemed unsafe for third parties and should not be implemented (see Embedded Login with Auth0 > Security risks for more info). With native login a malicious app could try and phish users for username/password or tokens. Also, if your mobile apps use native login, then your users have to enter their credentials for each of your apps, hence SSO is not possible."

Let us know if you have further questions!

Thanks,
Dan

Hi @dan.woda, thanks for your reply. So it says “[Using the browser] enables use of the user’s current authentication state”, whereas “if your mobile apps use native login, then your users have to enter their credentials for each of your apps”. What is this authentication state that’s shared by web apps but not shared by native apps?

Have you read this article?

It is a really good resource for understanding how SSO works. With clarifying information about how the cookies are shared and although it doesn’t explicitly address your question about state, you can get an understanding about how the session is created between a user and the authenticator.

Do you have a specific concern or goal?

I don’t have a specific concern or goal; I’ve been using Auth0 for a few months and am going through the docs now just trying to understand everything.
I read the article you shared on SSO, thanks for that. It sounds as though you’re able to implement SSO using a web browser without using Universal login, so I assume there’s some central server associated with a browser that can unite different domains in the same browser in a way that can’t be done with separate mobile apps.
Does that make sense?

This chart does a good job of illustrating how SSO works in a browser based flow:

Because the domains can share storage in browser cookie storage, the server is able to determine if the user is already logged in via a cookie. If I am not mistaken, cookies in mobile applications that don’t utilize a browser based flow are going to isolated to within that single application, and cannot be shared across apps in the same way that a cookie can be shared across a browser between web apps.

Thanks,
Dan

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.