I'm working on the application environment below. It involves a mobile App which uses an AWS lambda based API. The App requires authentication and the API is secured using JWTs.
I need to introduce a view of an externally hosted authenticated web application into the App with the following requirements:
- The App user should have a seamless 'logged in' experience, they should not have to login to the external application.
- The external application is provided to the App using HTML over HTTPS. The App displays this using a webview component (specifically, a WKWebView in iOS).
- In the future the App will display the external application natively, using the external application's API
- The external application should not be available to a browser client - it must be secured so that it is only accessible from the webview in the App.
- The external application will not be part of the same domain as the App's API, nor will have any shared authentication method.
We're currently considering the following setup:
- The App will make a request (connection 1) to the API, requesting the external application credentials/session details for the user.
- The API Lambda sends the user's details to the external application (connection 3)
- The external application establishes a session for the user (this may involve creating the user locally) and returns the user's session/access credentials.
- The user's session/access credentials are passed back to the App via the API Lambda.
- The App receives the details it needs to access the external application back from the API request.
- The App sets up the webview using the URL of the external application and the required headers/cookies from the received details.
- The App sets up the 'logged in session' by setting the request headers/cookies in the webview component
- The external application receives a request for a logged in session (connection 2)
- The App user sees the authenticated external application, without any visibility of any session setup/login step
With regard to ensuring access to the external web application is prevented if it is not from the App we are able to establish filters/rules and have considered the following:
- Setup a known referrer/user agent and ensure the request matches
- Add a custom HTTP header with a value which can be verified as having come from the App. Perhaps we'd sign this with a shared secret as part of the flow above.
- It has been suggested that we might use request certificates - we have no experience of this and would need to investigate this to work out if that is the case
I'm looking for advice/suggestions to help us make the best choices. Is there something we could consider which I didn't mention above?
Thanks for any help.