Native to Web SSO is currently available in Early Access. To request this feature, you must have an Enterprise plan. To learn more about Auth0’s product release cycle, review Product Release Stages.
/authorize endpoint, Auth0 determines if there is an active session, and then either reuses the existing session or honors the provided session_transfer_token. To avoid session injection risks, Auth0 uses a safe and predefined evaluation to determine if the session_transfer_token is valid. To learn more, read Configure and Implement Native to Web SSO.
Native to Web SSSO does not change standard Auth0 Single Sign-On authentication.
- The user is logged in when a valid
session_transfer_tokenis sent and there is no pre-existing Auth0 session. - The user is logged in when a valid
session_transfer_tokenis sent and a pre-existing Auth0 session is found for the same user. - The user is prompted to login when a pre-existing Auth0 session is found and the
session_transfer_tokenbelongs to a different user. Additionally, the pre-existing Auth0 session is revoked. - The user is prompted to log in when a pre-existing Auth0 session is found and the
session_transfer_tokenis invalid.
Sessions and refresh token revocation
Asession_transfer_token is used to initiate a secure session in a WebView or browser to securely authenticate the user without being prompted to login. These web sessions may also issue their own .
Native to Web SSO applies a set of revocation rules to ensure consistent and secure behavior when sessions and refresh tokens are revoked:
- When a refresh token is revoked, it also revokes its associated refresh tokens and sessions if
enforce_cascade_revocationis enabled in the native application. - When a web session is revoked, it also revokes its associated refresh tokens if
enforce_online_refresh_tokensis enabled in the web application - Nested Native to Web SSO is not allowed. A web session created using a
session_transfer_tokencannot generate anothersession_transfer_token.