Introduction

This cool solution provides information for various methods used in the mobile application development world. This is all about how the application will authenticate the user and how this information is shared with other applications without compromising credentials.

Using a Web View

Web view is used to manipulate web content by mobile native application developers. Using a web view is the most common solution to SSO on Mobile. The application renders the SSO login page and handles authentication similar to browser based authentication experience. In case of OAuth2 or OpenID connect, web view handles authentication and hands over the Authorization token to the application. The application will make a direct connection to IDP and get the Oauth2 token and additional tokens in exchange of the Authorization token.

Advantages:

• User experience is better because authentication happens within the application.

• User authentication session belongs to the application and not shared across applications.

Disadvantages:

• Rendering login pages would be an issue if they are complex in nature, the application developer has to do many workarounds to overcome the issues of rendering and JavaScript actions.

• Web views don’t use regular cookie storage and the user is forced to authenticate every time the app is accessed.

• User authenticated session is not shared with other applications, without doing a workaround like writing shared key to shared storage location, for example, keychain in IOS.

• Cert based authentication, HTTP Basic, Kerberos authentication, are not supported with web view, the developer has to handle authentication types.

Using a System Browser

Some mobile applications use system browser to handle the login process. Native application launches system browser with the login url, the browser completes the authentication process and on successful authentication, redirect URI sent from server will open the application to hand over the authorization token. After receiving the Authorization token, the application contacts the server for Oauth2 token and refresh token etc., in exchange of Authorization token with OAuth2 provider.

Advantages:

• This solves the web view short comings, like handling complex login pages.

• Cookies stored to browser storage, this allows to share across applications, whatever application invokes system browser for authentication.

• Cert based authentication, HTTP Basic, Kerberos authentication etc., are handled by system browser.

Disadvantages:

• User experience won’t be good because of flashing application popups like browser and application.

• Login failures are not communicated back to the application.

• Authenticated session stays with the browser, unless an explicit logout call is made in the browser.

• Custom URI can’t guarantee it represents the right application. Hence there might be a chance the authorization code might be handed over to the wrong application.

Various other Approaches

1. Sharing access tokens between applications using the system keychain.
   
   
   
   1. This mechanism only works with all applications which are signed by the same developer.
   
   
2. This mechanism won’t work with SaaS or third party applications.

• Using NAPPS
  
  
  
  1. Token agent has to be installed on mobile to broker the authentication on behalf of the application.
  
  
• Application metadata has to be generated as part of authorization between token agent and application. This metadata information is used to decide which application can be served with agent.

• All Third party or SaaS applications may not be designed to work with token agent.

• New mobile OS in-built features
  
  
  
  1. Android OS offers custom chrome tab, gives more control over the web experience and make transitions between native and web content more seamless without having to resort to Web View.
     
     
     
     1. Some features of custom chrome tab: Simple to implement, UI customization, Navigation awareness, security, Performance optimization, Shared cookie jar, quickly return to app with a single tap, synchronized autocomplete across devices for better from completion.
     
     
  2. Provides call back mechanism to application upon external navigation.
     
     
     
  3. https://developer.chrome.com/multidevice/android/customtabs
  
  

• IOS 9.0 offers SFSafariViewController, it includes Safari features.
  
  
  
  1. Some of the features available with controller: Reader, AutoFill, security, shared cookies with safari.
  
  
• Provides call back mechanism to application.
  
  
  
• https://developer.apple.com/reference/safariservices/sfsafariviewcontroller

• IOS 9.0 also offers WKWebView. This provides alternate to web view of older IOS OS,
  
  
  
  1. It has performance booster and rendering of complex pages made easy.
  
  
• This control provides application to control the view.
  
  
  
• https://developer.apple.com/reference/webkit/wkwebview

 

Summary

Type of View Features

System Browser Safari, chrome

Custom Chrome tab

Web View Component WKWebView or android webview

IOS safari view controller SFSafariViewController

Authentication Session sharing

YES

YES Cookies are shared between system browser and controller

NO This is specific to application

YES Cookies are shared between system browser and controller

Browser based authentication like x509

YES

YES

NO Developer has to handle it

YES

Application control on view

NO Only on launch URL can be provided

NO Only initializing parameters can be passed

YES Application can manage this controller

NO Only initializing parameters can be passed

User Experience

Not Great User is bounced over to browser and application

Seamless and Rich

Seamless and Rich

Seamless and Rich

 

When the authentication session is shared between view controller and system browser, third party or SaaS applications might achieve SSO with no user credentials, if the application uses the same type of view controller that is used for authentication.

Refresh session can be done using controller running in hidden mode or background mode. It is the application responsibility to refresh session.

Note: This information is more in an abstract manner, the development team might face more challenges in employing SSO into an application, which is out of the scope of this cool solution.

Resources:

• https://www.netiq.com/documentation/access-manager-developer-documentation/

• https://www.netiq.com/documentation/access-manager-developer-documentation/resources/Mobile Authentication with NAM.pptx

• https://github.com/tutsplus/IOS-SafariViewControllerFinishedProject

• https://github.com/mackuba/SafariAutoLoginTest

• https;//code.tutsplus.com/tutorials/ios-9-getting-started-with-sfsafariviewcontroller—cms-24260

• http://developer.outbrain.com/ios-best-practices-for-opening-a-web-page-within-an-app/