Native SSO: Desktop and Mobile Apps Single Sign-On

When you hear SSO (Single Sign-On), you probably immediately think of web apps, and how you only need to sign into one web app first, then all other web apps give you seamless access. Unfortunately, for desktop and mobile applications (often referred to as “native apps”), the seamless web SSO experience (also referred to as native SSO) has not caught on. This is partly due to the lack of an industry standard or best practice on how to accomplish native SSO.


This is a companion discussion topic for the original entry at https://developer.okta.com/blog/2021/11/12/native-sso

Hey, the blog seems to specifically discuss two native apps using device SSO. However I am curious to know if this technique can also be harnessed to SSO from a Native App to a web app client within a webview on the native device.

Could the device secret and id token be passed (securely obviously) to a web client via a native webview, and the web client then uses them to request new id, access and refresh tokens for the web client?

Scenario summary: User authenticates natively. Native app launches a web app via webview that requires an id, access token and short lived refresh token. Can the native app pass the device_secret and id token to the webview and the web app within the webview requests new tokens for the user?

Thanks

This is more of a platform capability question. Here is a quick answer on iOS. There are two ways to display web content in iOS:

  • UIWebView or WKWebView: you can share cookie between the native app and the web container, e.g., through NSHTTPCookieStorage. So you can pass device_secret from native app to the web container, and launch a javascript in the web container to read the device_secret cookie and exchange it for tokens.

  • SFSafariViewController or ASWebAuthenticationSession: these are designed as isolated embedded browsers, which do not share anything with the native app, so you cannot share device_secret through cookies. There might be other ways to pass device_secret that I am not aware of yet.

1 Like