Great news for mobile developers! Google recently contributed the AppAuth open source client libraries for mobile single sign-on (SSO) to the OpenID Foundation. Mobile application developers now have a client library to enable best-practice federated SSO to their applications using OAuth 2.0 and OpenID Connect.
The AppAuth libraries make it easy for application developers to enable standards-based authentication, SSO and authorization to APIs. They handle the open standards protocol implementation and best practices security, as well as user experience considerations for federated SSO. This allowing developers to focus on the business requirements of the application instead of the considerations around authentication.
Here are some best practices for federated mobile SSO and the benefits they yield:
Using OAuth 2.0 and OpenID Connect to authenticate application users over an open standard protocol--this enables a consistent, secure authentication flow for customers, partners and employees across web and mobile applications.
Leveraging the Proof Key for Code Exchange (PKCE) extension to enhance the implementation of OAuth 2.0 in mobile applications--this enables the use of refresh tokens and removes the need to store or distribute client secrets.
Handling user interaction via the shared web components (SFSafariViewController in iOS and Custom Tabs in Android)--this enables a shared session to IdP login forms and provides access to the shared keystore for enterprise X509 authentication.