Support SSO login for native apps

[NilsBaumgartner1994]

Summary

Currently we are having hard times when SSO logins should be supported for native apps like react native.
The problem is, we don't want to use an "In-App-Browser" due to security concern for users. Such an "In-App-Browser" could be mocked and grab your user credentials.

Alternatively a native app would open the phone browser which then authenticates at the SSO and would finally redirect the user to the app using "Deep Link".

Here comes the problem. As the Deep Link only opens our app, the app has no access to the phone browser cookies nor will send them at requests. Even if it would send them, these cookies would be cleared when the user would clear the brower cache.

Therefore we have currently no access to the auth data when login in via SSO.

As a workaround we could create a custom endpoint which redirects to the app via Deep Link and passes as an argument a refresh token: #22427
This workaround is not very secure as:

• The refresh token is exposed via the url, and the client therefore should clear them as soon as obtained
• An attacker could create a malicous link which would redirect the user to the attacker exposing the refresh token. Therefore the "redirect" url has to be checked against a whitelist.

As this workaround works for native apps it exposes some challenges and security concerns. Either I am missing here how to send the auth_data to directus within an React-Native app, Accessing the cookie from the browser or something different.
I believe we need a possibility for a SSO-Login for the SDK Client: #19723

Basic Example

No response

Motivation

Support of Directus SSO Login for Native Apps

Detailed Design

An implementation and handling of the tokens from within the SDK-JS

Requirements List

Must Have:

• Support of SSO Providers

Should Have:

• An option to pass the refresh_token

Drawbacks

Alternatives

Adoption Strategy

Unresolved Questions

How to keep security up and to pass the credentials to the app?