OpenID Connect: Passing authorization between a mobile app and a browser for SSO - what's a secure way to do it?

Question

I'm not sure there is a "proper" way, but before I just bodge together my own incompatible implementation, perhaps there's something in all the standards that can fit my need?

Here's the situation: Apple has declared that apps on their phones MUST include all standard functionality inside themselves. No more iframes with web content! If you need to show stuff from web, open the system browser (Safari)! Unfortunately we need to display stuff from web, so here we go...

Now, the app requires authentication which the user has done previously. We store whatever tokens we need. When the time comes to open the browser, we don't want to force the user to re-authenticate. We need to somehow pass the access credentials to the browser, and preferably do this securely. Furthermore, the webpage in the browser will need a token obtained from our OpenID Connect server.

Unfortunately, the only point of communication between the app and the browser is the URL, so everything that we give will be there, in plain sight. I know that OAuth was pretty worried about this, so much so that they made it impossible to intercept authentication with just the stuff visible on the screen and instead using things like single-use intermediary codes, backchannels and PKCE.

Unfortunately I cannot see any way to use the default flows "out of the box" to achieve what I need. I can think of modifications to those flows that would do it, but I'm not a security expert so I'd rather go with something standard which is vetted by experts.

Answer 1

SCENARIO

It's a good question since many companies want to show existing web content in a secured manner within a mobile app, and to avoid an extra login.

WEB + MOBILE INTEGRATED SOLUTION VIA DISCONNECTED BROWSER?

Ideally what you want to do is pass the mobile app's JWT to the external web content in an HTTP header. iOS APIs such as openURL may not support this however.

You may have to pass a JWT in a query string, in which case I would try to follow a signed request model, though it is not trivial. I have used SalesForce signed requests though not implemented a full solution myself.

• Mobile app calls an API method at POST /api/encrypt-token
• API returns an encrypted payload that includes the JWT
• Mobile app opens a web page at https://mywebapp?token=0a78904cwdu
• Web UI calls POST /api/decrypt-token to get the JWT
• Web UI stores the token in memory and uses it to call the API

You will want to prevent raw tokens being written to web server logs. I believe the recommendation for this type pf solution is to use a one time key, as described in the above link. And of course the web session will have some limitations such as silent token renewal not working.

WEB + MOBILE INTEGRATED SOLUTION VIA WKWEBVIEW

In the past I've managed secured web content in a mobile app by making the Web UI get access tokens from the mobile app. This enables an integrated UX and you can use a 'standard as possible' OAuth solution.

• When the Web UI runs within a mobile app's web views it no longer does its own OAuth handling and instead calls the mobile app to get tokens and trigger logins
• This means there is a single login across web and mobile views, and the Web View gets all the benefits of mobile user experience, such as secure storage of tokens
• The Web UI is no longer impacted by things like the web view aggressively dropping cookies

VALID USE OF WEB VIEWS?

Web views are probably not a good long term solution in most cases. I know that Apple are likely to reject apps in 2020 if they use any of these behaviours:

• Use of UIWebView - the Cordova default - you need to update to WKWebView
• Delivering an app that is solely a repackaged web site with no mobile views
• Displaying web content of a dubious nature (ads etc)

I suspect that use of WKWebView used responsibly and justifiably would be accepted. I could be wrong though, so please don't take my word for it.

UPDATE

Out of interest there is a nonce pattern that can be potentially used to shared data between web and mobile apps, though the simpler choice is often just to share data using APIs, and write views multiple times.