I work for a B2B SaaS company which services companies that have different Single Sign On providers. We're working on integrating SSO into the mobile and server side of things using Open Id Connect & OAuth2.0 protocols.
I'm just double checking that I understand the flow correctly, so please correct me if I'm wrong:
The expected flow is:
- User opens the mobile app and enters their email
- Using Tenant Discovery we determine which IDP they are using (if any) and redirect them to the login page using a CustomTab (We're using AppAuth library on iOS and Android)
- They enter in their credentials, which go to their IDP with a PKCE
- AppAuth receives an AuthToken, which it then uses with the code_verification of the PKCE to get an access token.
- The mobile app takes the access token and hands it off to our server in a login post with the user email.
- The server uses the access token to back-channel talk to the IDP and verify the user by grabbing their email address.
- The user's email address is verified, then we generate our authentication and cross site forgery cookies which return back to the client.
