Native to Web SSO and Sessions
When a WebView or browser initiates a call to the /authorize
endpoint, Auth0 determines if there is an active session, and then either reuses the existing session or honors the provided session_transfer_token
. To avoid session injection risks, Auth0 uses a safe and predefined evaluation to determine if the session_transfer_token
is valid. To learn more, read Configure and Implement Native to Web SSO.
Specific Native to Web SSO flows can result in the following behaviors:
The user is logged in when a valid
session_transfer_token
is sent and there is no pre-existing Auth0 session.The user is logged in when a valid
session_transfer_token
is sent and a pre-existing Auth0 session is found for the same user.The user is prompted to login when a pre-existing Auth0 session is found and the
session_transfer_token
belongs to a different user. Additionally, the pre-existing Auth0 session is revoked.The user is prompted to log in when a pre-existing Auth0 session is found and the
session_transfer_token
is invalid.
Sessions and refresh token revocation
A session_transfer_token
is used to initiate a secure session in a WebView or browser to securely authenticate the user without being prompted to login. These web sessions may also issue their own refresh tokens.
Native to Web SSO applies a set of revocation rules to ensure consistent and secure behavior when sessions and refresh tokens are revoked:
When a refresh token is revoked, it also revokes its associated refresh tokens and sessions if
enforce_cascade_revocation
is enabled in the native application.When a web session is revoked, it also revokes its associated refresh tokens if
enforce_online_refresh_tokens
is enabled in the web applicationNested Native to Web SSO is not allowed. A web session created using a
session_transfer_token
cannot generate anothersession_transfer_token
.