sharing-cookies | Demo app for blog post | iOS library

REQUIREMENTS

So it seems you want a solution to invoke secured web content from a mobile app, and to avoid an extra login. It is a common requirement and I will be adding some stuff to my blog on this topic over the next month or so.

STATE OF THE INDUSTRY

The problem with the above is that third party cookies, such as those issued by Identity Providers, are often dropped by default these days due to browser security initiatives such as Intelligent Tracking Prevention changes - which is ON by default in Safari:

COOKIE PROPERTIES

Worth checking that your cookies are issued with SameSite=None, which will give you the best options for a third party cookie based solution.

MOBILE FIRST DESIGNS

In an OAuth world, in order to meet the requirements, it is likely to be necessary to send a token from the mobile UI to the web UI, which of course has prerequisites that need to be designed for:

• Web UI must use tokens
• Web UI must use different strategies for token handling depending on the host

OPTION 1

One option is to use a mobile web view to show the web content - see my code below:

• Web UI Code to ask the host for tokens
• Mobile UI Code to service these requests

OPTION 2

Another option is to send something representing the token in a query string parameter from the mobile app to the Web UI, in which case you need to ensure that:

• No usable tokens are recorded in web server logs
• The token has a one time use only

A typical implementation would look like this:

• Mobile UI calls an /api/token/encrypt endpoint
• API stores a token hash in a database and returns an encrypted value with a short time to live
• Token is sent from the Mobile App to the Web UI
• Web UI calls an /api/token/decrypt endpoint to get the real token
• The API's decrypt implementation deletes the database entry