Thus, the standard SSO approach for native mobile applications (both Android and iOS) looks like OAUth2 + OpenID Connect through the AppAuth library.
This is all good and good - and actually looks like elegance.
But what if the same application contains a built-in web view component that needs to access resources using the same SSO (on the same server in the same web applications as its own code, where all resources require authentication for access)?
To begin with, OAuth2 access tokens (after receiving them) do not automatically apply to hyperlink requests in a web application, etc., right? So do web application pages really need to be re-engineered using JavaScript for such a distribution? A mobile application can rewrite requests for addressing, but:
- At least on Android, this only applies to GET requests (right?)
- More critically, this suggests that the web application should not function in a normal browser
Is OAuth2 the wrong approach? If so, this seems like a shame - because AppAuth seems pretty enjoyable for the native side of applications. It’s just a mix of basic web browsing looking at a picture that really creates a mess.
Or is there just some de facto standard JavaScript library that can be mixed with Angular or the like (and then using Angular or the like is required)?
source
share