Hi everyone, @gentle-bird-90474 and I are using a WebView within our React-Native app to display an OwnCloud page which uses SSO from Ory. The OwnCloud service is managed by us and the SSO is 1st party in that case (we can theoretically skip the consent process, we are not sure about the login). Is it even possible to bypass the login screen without compromising security, considering that the user is already logged in in the app? Our app's authentication process: We call

initializeSelfServiceLoginFlowWithoutBrowser

from

@ory/kratos-client

`V0alpha2api`:

new V0alpha2Api(
 new Configuration({
   basePath: kratosUrl,
   baseOptions,
 }),
 kratosUrl,
 axios
)

The React Native WebView API accepts passing headers, cookies (as part of the headers) and even injecting javascript into it. Our initial thought was somehow providing it with session information so that it can be used as a way to skip the login screen entirely during the SSO process. Thank you!

Hi @fancy-napkin-38843

Is it even possible to bypass the login screen without compromising security, considering that the user is already logged in in the app?

I am a bit confused by this since the login flow will just succeed if there is a valid cookie. e.g. react-app -> webview (with cookie) -> sso login -> checks session -> redirects back with token -> get session in app

Hi @proud-plumber-24205 thanks for replying. So we have a valid session within our react-native mobile app. The app shows OwnCloud within a WebView (similar to an iframe on websites). We wonder if it is possible to pass the session as parameters to the WebView without compromising security. From our mobile app to the WebView (website) we can pass headers, cookies (as part of the headers) and inject javascript into it. The flow is react-native mobile app -> WebView (with session info passed by the react-native app, e.g. a JWT token) -> sso login -> checks session (with the info the mobile app provided) -> redirects back with token -> get session in OwnCloud (within the WebView). So in summary we wonder if we aren't compromising security passing the session information from the mobile app to the WebView. And if it's possible (we know/are pretty sure that http-only cookies will not work for example, so maybe a JWT should be used in that case). Do you have any ideas if it's fine in a security perspective and if it's feasible?

I'm not sure, I don't know what the implications would be in regards to the WebView. I would think that if the WebView is contained (sandboxed) and cannot be accessed by other applications on the device, then it should be fine? In any case we are looking into implementing OIDC flows for native api requests which would resolve this use case. /cc @bland-eye-99092

Thank you @proud-plumber-24205 for the response!@bland-eye-99092 do you have any opinion/info about this?

We are actively working on social login on native, but have no timeline yet.