Overview

In many native (mobile) applications, users authenticate via an OpenID Connect flow—launching a system or in-app browser to sign in at the OpenID Provider (OP). The app receives ID tokens, refresh tokens, and access tokens. Yet, when the same app later opens a web page (in a custom tab or SFSafariViewController), there is no straightforward mechanism to transfer the established “app session” into a browser session. This often forces re-authentication or leaves the user in an unauthenticated state in the browser context.

Proposed Solution

To bridge this gap, we propose a short-lived, single-use Session Transfer Token that an OIDC Client (the native app) can request and then pass to a new web context, allowing the browser to seamlessly create or refresh an SSO session at the OP. This approach leverages existing OIDC components and session management concepts while improving user experience and security.

Outline

1. Token Issuance: Short-lived, single-use token from the IdP.
2. Token Redemption:
   • RP-Initiated Flow: The Relying Party (RP) begins a standard OpenID Connect (OIDC) or OAuth 2.0 flow, passing the STT to the Identity Provider (IdP) (e.g., via login_hint) so that user interaction is minimized or avoided entirely.
   • IdP-Initiated Flow: The native app directly navigates to the IdP with the STT. The IdP sets an SSO cookie (or refreshes the existing one), then redirects the user to the RP, which completes an OIDC flow silently, recognizing the already-authenticated user.

This session explores the design considerations, flow diagrams, security measures, and practical scenarios needed to implement frictionless single-sign-on across native apps and in-app browsers.