Hey smart people,
We have a scenario where a native mobile app using auth code with pkce needs to pop a browser webview and get SSO to an Okta protected SAML web app.
When we get access / ID tokens via api call to /tokens using the refresh token, we get a blank sid cookie.
There’s a sid claim in the id token. Could we fabricate a Sid cookie with that and inject it into the webview?
Any other suggestions which avoid the user having to do primary auth? We’re on Okta classic.
Webview behaves closer to a sandbox VM, and ideally the Android webview doesn’t do well / errors out when there is external modifications - This may need a POC with the android sample, however we don’t have an out of the box version that can help.
SSO between browser-based web applications is achieved by sharing cookies. Unlike web applications, native applications can’t use web cookies.
So cookie injection is something I haven’t tried to confirm if this can work with your use case. Ideally, since session cookies aren’t injectable, this can’t be supported. I will check with the team if there is any other way.
@abole Hey, sorry about that. I’ve tried a few things but haven’t had any luck yet. I’ll ask the team to take a look. By the way, any updates on the support ticket?
@abole This might require professional service assistance. We discussed this internally, and there is a way to do this without causing a lot of security loopholes in the process.