Native to Web SSO and Sessions
Native to Web SSO is currently in Beta. To request access, contact Auth0 Support. To learn more about Auth0's product release cycle, read Product Release Stages.
When a WebView or browser initiates a call to the /authorize endpoint, Auth0 determines if there is an active session, and then either reuses the existing session or honors the provided session_transfer_token. To avoid session injection risks, Auth0 uses a safe and predefined evaluation to determine if the session_transfer_token is valid. To learn more, read Configure and Implement Native to Web SSO.
Native to Web SSSO does not change standard Auth0 Single Sign-On authentication.
Specific Native to Web SSO flows can result in the following behaviors:
The user is logged in when a valid
session_transfer_tokenis sent and there is no pre-existing Auth0 session.The user is logged in when a valid
session_transfer_tokenis sent and a pre-existing Auth0 session is found for the same user.The user is prompted to login when a pre-existing Auth0 session is found and the
session_transfer_tokenbelongs to a different user. Additionally, the pre-existing Auth0 session is revoked.The user is prompted to log in when a pre-existing Auth0 session is found and the
session_transfer_tokenis invalid.
Web applications can issue their own refresh tokens. To ensure session integrity, Auth0 links all downstream sessions and refresh tokens to the original initiating native application.
Native to Web SSO applies a set of revocation rules to ensure consistent and secure behavior when sessions and refresh tokens are revoked. The Native to Web SSO cascade revocation feature is not available during Early Access and is expected to be available for General Availability.