Gartner Research

Single Sign-On in Native Apps and Modern Web Apps

Published: 22 May 2017

ID: G00322323

Analyst(s): Erik Wahlstrom

Summary

Organizations increasingly use industry standards when implementing SSO in native and modern web apps (aka single-page applications). This research helps technical professionals get SSO right when implementing OAuth 2.0 and OpenID Connect in apps to balance cost, usability and security.

Table Of Contents

Analysis

  • The Evolving Landscape of SSO in Apps
  • Protecting APIs Used by Apps
  • The Dance
    • Browsers Are the Heart of SSO
    • Keeping Access Tokens Up-to-Date in Apps
    • Increasing the Trust in Public Clients
  • Building Native Apps
    • Key Storage in Different Operating Systems
    • Shared Key Stores and SSO Agents
    • Hybrid Apps
  • Building Modern Web Apps
    • Key Stores in Browsers
    • Web-Server-Aided Code Flows for Modern Web Apps
  • Strengths
  • Weaknesses

Guidance

  • Avoid Proprietary Methods for SSO in Native Apps and Web Apps
  • Know Your OAuth 2.0 and OIDC Flows
  • Use Proven Server-Side and Client-Side Libraries
  • Follow the Principle of Least Privilege
  • Manage Consents
  • Balance the Usability of Apps With Their Risks
  • Use the AppAuth Pattern When Building Native Apps
  • Experiment With Web-Server-Aided Code Flows for Modern Web Apps
  • Use the Implicit Flow for Modern Web Apps — But Stay Up-to-Date
  • Terminate Sessions and Explicitly Delete and Invalidate Active Tokens

The Details

  • The Alternatives to Bearer Tokens
  • App Wrapping and VPN
  • Support for Interapp Communication in Operating Systems
  • Cross-Origin Resource Sharing (CORS)
  • Evaluation Criteria for Authorization Servers
  • Evaluation Criteria for Native App Libraries
  • Evaluation Criteria for Modern Web App Libraries
  • Evaluation Criteria for Resource Servers
  • Commonly Used Libraries for Native Apps
  • Commonly Used Libraries for Modern Web Apps

Gartner Recommended Reading

©2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.