We're having a native iOS and Android app that has a custom login form to authenticate a user directly via an authentication endpoint of an oAuth2 enabled indentity provider (the app sends the user credentials via HTTP request to the identity provider and gets a JWT as response).
The app does not have the possibility to open a browser with callback url or an in-app-browser to open the login form of the identity provider directly - so there is no possibility to set a cookie for SSO. The app does sometimes redirect the user to other services (in the web browser) that are using the same identitiy provider. Until now, the user is forced to enter his credentials again to signin.
We're now looking for a (secure) way to implement SSO with the app, without the need of using a cookie enabled (in-app-)browser for the app login.
A solution we thought about:
- sending a valid access_token to the identity provider together with the target url of the service
- the identity provider validates the token and the target url
- the identity provider authenticates the user after successfull validation and redirects the user to the service
Can this be considered as a secure solution? Is there a standardized way we don't know about to do something like that?
