I’d recommend reading up on OAuth2 workflows. It works essentially the same as an OAuth2/ OpenID Connect login on the web, except, instead of redirecting back to a website, you need to redirect back to an app using the app’s URI scheme (e.g., those “yourapp://something” URL’s you might see some places).
In general, it’s something like:
- Open the login page in a web browser
- User logs in
- Login page redirects back to the app with information in the URL (not cookies) that is needed to login. This could be a code that is exchanged for an access token by using another endpoint (the “authorization code” workflow) or the access token itself (the “implicit” workflow), which is then used on future requests to the server.
So, if you’re using
WebBrowser.openAuthSessionAsync(), the result when that completes will include the full redirect URL called by the login page (I believe this is only true on iOS 11 - to get the redirect URL on Android, you need to use the Linking API to listen for the app-specific URL). This will include your code or access token. No cookie reading required. In fact, I think it’s even impossible to read the cookies from these browser windows even in the base iOS or Android code.
Where cookies come into play with the “AuthSession” is that the browser windows it opens on each OS (SFAuthenticationSession on iOS and Chrome Custom Tabs on Android) have access to the OS browser’s cookie jar, so, if you had logged into the authentication provider on in the browser, then you would still be logged in when your React Native app goes to that site. If you use
openBrowserAsync(), then it uses an embedded browser window that does not have access to the OS browser cookie jar.