Native SSO based on Token Exchange

Cross Identity’s native SSO solution is based on token exchange and builds on an OIDC draft spec Native SSO for Mobile Apps. The following diagrams from the spec illustrate the flow to enable native SSO.

Sign-in to the first application is similar to a regular OIDC sign-in, using a system browser. The only difference is that we request the device_sso scope, and in return, we receive a device_secret along with the returned tokens.

Native App1 Interaction 

Step1- Step8 are the standard OpenID Connect authorization_code flow with the following extensions. 

In Step 2, the device_sso scope is specified signifying that the client is requesting a device_secret to be returned when the code is exchanged for tokens.

After step 8, Native App #1 stores the device_secret and id_token in the protected device storage accessible only to Native App #2.

Native App2 Intercation

 

Native App #2 uses the stored data from the shared device storage to obtain tokens for the user thus enabling the app to access the user's resources (i.e. SSO) 

Step [9] invokes the /token endpoint with the token exchange profile passing the id_token obtained from the shared device storage, the client_id and the device secret. 

Step [10] returns the SSO-generated refresh and access tokens for Native App #2.