/authorize endpoint, Auth0 determines if there is an active session, and then either reuses the existing session or honors the provided session_transfer_token. To avoid session injection risks, Auth0 uses a safe and predefined evaluation to determine if the session_transfer_token is valid. To learn more, read Configure and Implement Native to Web SSO.
Native to Web SSSO does not change standard Auth0 Single Sign-On authentication.
- The user is logged in when a valid
session_transfer_tokenis sent and there is no pre-existing Auth0 session. - The user is logged in when a valid
session_transfer_tokenis sent and a pre-existing Auth0 session is found for the same user. - The user is prompted to login when a pre-existing Auth0 session is found and the
session_transfer_tokenbelongs to a different user. Additionally, the pre-existing Auth0 session is revoked. - The user is prompted to log in when a pre-existing Auth0 session is found and the
session_transfer_tokenis invalid.
Sessions and refresh token revocation
Asession_transfer_token is used to initiate a secure session in a WebView or browser to securely authenticate the user without being prompted to login. These web sessions may also issue their own .
Native to Web SSO applies a set of revocation rules to ensure consistent and secure behavior when sessions and refresh tokens are revoked:
- When a refresh token is revoked, it also revokes its associated refresh tokens and sessions if
enforce_cascade_revocationis enabled in the native application. - When a web session is revoked, it also revokes its associated refresh tokens if
enforce_online_refresh_tokensis enabled in the web application - Nested Native to Web SSO is not allowed. A web session created using a
session_transfer_tokencannot generate anothersession_transfer_token.