> The mobile app gets access and refresh tokens from cookies (is that even possible for a mobile app to retrieve http-only cookies from the web view?)
I don't think so.
But what you could do is as follows:
- Enable JWT in session recipe on the backend
- When the user logs into the web view, redirect the user to a deep link with the JWT from the session. This JWT will then be available in your mobile app. Or maybe there is some other way to transfer info from webview to app? Not sure.
- Send the JWT to the backend, backend verifies it, and creates a new long lived JWT which your app will store in keychain guarded by faceID. Along with that, the backend will create a new regular supertokens session as well.
- When the user opens the app again, face id unlocks the keychain to get the long lived JWT which can again be used to create a new session.