Currently, I have the following solution: an app that utilizes an Identity Provider (IDP) for OAuth 2.0 authentication (the IDP does not support OpenID). This application receives an authorization code and then exchanges it for access/refresh tokens to consume APIs. There's also a web application that follows the same OAuth authentication flow.
We have a requirement that, when I'm in the app and want to access a link to the web app, it shouldn't be necessary to authenticate again.
Within the OAuth flow, this would work (since OAuth URLs have Single Sign-On between them). However, to avoid needing re authentication, I understand the following conditions must be met:
- The browser used to authenticate the app must be the same as the one used for the web app, as the OAuth flow's authentication cookie needs to be active.
- The authentication cookie's TTL must be equal to the tokens' expiration date, as if the cookie expires before the refresh token, re authentication is necessary.
- The IDP needs to be configured to allow multiple authentication sessions.
Due to business/security decisions, item 3 is not allowed, and item 1 might not always be true since the app uses an web view that is probably different browser than the web app.
Is there any other OAuth-based way to achieve this solution without satisfying items 1 to 3?
I've been researching using identity federation. However, it's not clear to me whether it solves the problem or if we'd run into the same requirements as listed in Items 1 to 3. For instance, if I use Google as an IDP, upon accessing the app, it will redirect to the IDP, and after authentication, the IDP returns a SAML to my app. Clicking to access the web app, if I'm not in the same browser where I initially authenticated, I would need to authenticate again.
Moreover, having a SAML response alone isn't sufficient, as I still need an access token. In this case, my IDP would need to provide a way for me to exchange the SAML response for an access token (this point i'm still checking if its possible).
Thanks in advance