iOS MSAL B2C silent authentication for mobile webview

[onlinebear99]

The problem: When using silent authentication, the mobile webview’s cookies are not refreshed. This results in the need to restart the interactive login flow. The B2C SSO will expire in a short time, in our case 15 minutes. After the expiry, there is no way to silent authenticate the SSO for mobile web views.

The solution: Provide a mechanism so that mobile silent authentication will also refresh the webview cookies. This will allow for a seamless flow for the mobile user. Most banking apps will now allow for biometrics with Face ID or Fingerprint ID. The user expects a seamless flow of all SSO components. The silent authentication is built into the MSAL mobile SDK. We need for this silent authentication to refresh the mobile web views in addition to the B2C token.

[ameyapat]

Once a token is expired, it is by design to get it interactively

[onlinebear99]

This flow does not work for mobile biometrics. A user signs in with face ID, even after the token is expired. They expect proper flow and not to login again. We spent 10 months working with Microsoft on this issue. The current B2C flow is not working with mobile biometrics.

Brian Adams
Mobile architect
Mr. Cooper