However, if the user opens the browser directly and goes to application B, then how is their session established with the existing token?
If the response has a session state on the internal server, then how does the session state correspond to the user registered in application A with a new request for application B?
I would say that this is more about cookies and redirects than tokens. Tokens are generated after the identification of the user.
So, when you get to application B through a browser, application B redirects your user agent to the Auth server (which can, in turn, redirect you to the SSO site).
It should be noted that the SSO login request is an HTTP request between your browser and the SSO server.
So, the SSO cookie already exists, because earlier the application A also redirected your user agent to the Auth / SSO server where the login was made. After that, the SSO server can save a cookie between you and him.
I can see if I can log into application A and get a token, and then run application B from application A, passing the token to application B.
I'm not sure that I understand that application A transfers its token to application B. Typically, applications (Oauth 2.0 clients) will not share tokens. Appendix B should make its own request to the Auth server, which (if the user is registered) can skip the login part, but then must confirm that:
If the user is logged in and has previously approved access to the access area, all this processing will be fully accessible to the end user, except for the forwarding pool.
Assuming you are using a stream of implicit grants (I noticed that one of your applications is a corner application).
If you use Oauth2.0 grants for code, password, or client, then you can get the update token after the initial login and user consent.
The update current corresponds to long-term access (only for this application) without the need to re-enter the system and obtain consent from the end user more than once.