Redirect to mobile app after post login on web wit...
# support-questions-legacyd
Diesel
06/19/2022, 8:40 AMRedirect to mobile app after post login on web with the tokens
Diesel
06/19/2022, 8:40 AM(I opened a thread on my own hope its fine)
I need some guidance. Im trying to let my mobile apps use a website to sign in users since native support for ios isnt quite available yet.
What im trying to do to achieve this -
User wants to sign in from mobile so the app opens a browser to the login website and after sign in the website redirects back to the mobile app. The redirect will be done with deeplink but i would also need to read the cookies in the browser and send the accesstoken and refreshtoken as params in the deeplink to the app. I also see the refresh token is saved on the session/refresh path and not the general path / like the access token so that may be a problem.
Maybe im doing something wrong and you support a better way to achieve this?
r
rp_st
06/19/2022, 8:42 AMHey @Diesel deep linking to your app is certainly possible, but you shouldn’t send the access and refresh token to the native app since you will have to write logic to store them and keep the session alive yourself (which can be complex and that’s what our SDK does anyway)
rp_st
06/19/2022, 8:44 AMWhat you want to do is to enable JWT in our sessions, and send that to the native app
rp_st
06/19/2022, 8:44 AMI mean send the JWT to the native app.
rp_st
06/19/2022, 8:44 AMThen your iOS app can store it easily and send it on each request.
rp_st
06/19/2022, 8:45 AMOn the backend, you can have the normal session verification (provided by supertokens) and JWT verification (for iOS apps only).
rp_st
06/19/2022, 8:45 AMAnd once we have an iOS SDK, you can switch over to using supertokens sessions entirely
d
Diesel
06/19/2022, 8:52 AMThe logic to keep the session alive on the apps would be to call the session/refresh API in case the backend returns 401 cause access token is expired and save the new access token and refresh token from the set-cookie header in the response?
The thing is that we would really like to keep the refresh token mechanism as oppose to one JWT token the ios app can use.
r
rp_st
06/19/2022, 8:53 AMHmm I see. Yea that’s the logic, but you need to be careful to synchronise calls to the refresh token api since calling them in parallel can cause false positives for session theft, thereby revoking the session.
d
Diesel
06/19/2022, 9:03 AMWhat do you mean by synchronise the calls? like not calling the refresh api in parallel from one device with the refresh token?
So i could enable this feature on the session https://supertokens.com/docs/session/common-customizations/sessions/with-jwt/enabling-jwts
and pass in the redirect the jwt token instead to the mobile apps?
r
rp_st
06/19/2022, 9:05 AM> What do you mean by synchronise the calls? like not calling the refresh api in parallel from one device with the refresh token?
Yes. It means that if two API requests that were made in parallel both return with a 401, only of them should call the refresh API whilst the other should wait for the refresh to finish. After refresh, both should retry the original request.
> and pass in the redirect the jwt token instead to the mobile apps?
You could. And then you would pass this JWT in each API request from the iOS app.
d
Diesel
06/19/2022, 9:09 AMgot it thanks
105 Views