I have a React Native (iOS & Android) app and a Single-Page-App on the web. Both are backed by the same Node API using Okta accounts, but since one is newer than the other, their authentication/session management are very separate.
The native app sends credentials to the server, which uses a back-end Resource Owner Password call to
/authorize to get an access token. The access token is stored on the client and is what keeps the user logged in.
The web app uses the Sign-In Widget to establish a session cookie for my Okta.com domain. (It also gets an access token for API calls.)
I’d like a user, logged into the app, to be able to press on a web link and open it in, let’s say, mobile safari, and already be logged into the web app.
I need a way to create or insert a valid session to the browser that opens right when the user taps
a link. Here are some avenues I’ve explored.
Store the session ID on the server. When the user logs into the app, get a session token. Then, do a back-end call to
/authorizeto get a session ID. Store the ID in the database. When the user taps a link, set the session ID to a cookie and redirect to final destination.
- Problem: Session cookies on my Okta.com domain, not my web app domain. I can’t set cookies on another domain, I don’t think (iframe hack?).
Generate a new session on link press. Use a session token to generated a session ID and redirect to final destination.
- Problem: Near as I can tell, session tokens are temporary and only generated with credentials. And of course since we aren’t storing credentials…
- Use my own session cookie on my domain instead of the okta.com session cookie. I found this middleware package to facilitate this path. https://github.com/okta/okta-oidc-js/tree/master/packages/oidc-middleware
- Use access tokens for maintaining session in the web app, just like in the native app. I can set these easily via redirect. But then, what’s the session cookie for? Is this less secure?
Any other ideas other than these four? I’ve not explored the last two options as thoroughly as the first two, so would appreciate any caveats.
One last note: most of the native app guides talk about opening up a in-app, webview of some sort in order to do auth. I am strongly opposed to this because it would break existing apps, and IMO our onboarding UX flow would suffer. So I would prefer to keep solutions server-initiated.