feat: add support for Native to Web SSO

[subhankarmaiti]

Implements Native to Web SSO functionality enabling seamless authentication between native contexts and WebViews. Applications can obtain session transfer credentials from native SDKs to establish authenticated web sessions without re-authentication.

Usage

const { getSSOCredentials } = useAuth0();

const credentials = await getSSOCredentials();
// { sessionTransferToken, tokenType, expiresIn, idToken?, refreshToken? }

// With parameters
await getSSOCredentials(
  { audience: 'https://api.example.com' },
  { 'X-Custom-Header': 'value' }
);

[pmathew92]

@claude

[github-actions]

Claude finished @pmathew92's task —— View job

---

Code Review Complete

• Read PR diff and understand changes
• Read AGENTS.md for project context (not found, proceeding with review)
• Perform code quality review
• Perform security review
• Perform performance review
• Provide inline feedback on specific issues
• Post overall assessment

Overall Assessment

❌ This pull request requires fixes before it can be merged. A critical compilation error was identified in the Android implementation that will prevent the code from building, along with several type safety issues that could cause runtime failures.

Critical Issues:

• Compilation Error: The Android implementation calls a non-existent method handleCredentialsManagerError (line 415)
• Type Safety: Unsafe type casting in the Android implementation that will fail with ClassCastException if non-String values are passed in parameters or headers

Additional Issues:

• Type definitions use overly permissive any types that bypass TypeScript's type safety
• Test code contains empty catch blocks without explanatory comments
• Unnecessary default value assignments that change function semantics
• Minor code quality issues with unused parameters

The TypeScript/React implementation, iOS native implementation, and test coverage are well-structured. Once the critical Android issues are resolved, this will be a solid addition to the library.

---

[Copilot]

Pull request overview

This PR adds Native to Web SSO functionality, enabling seamless authentication between native mobile apps and web contexts. The implementation allows applications to obtain session transfer credentials from native SDKs to establish authenticated web sessions without requiring user re-authentication.

• Introduces SessionTransferCredentials type with session transfer tokens for web SSO
• Adds getSSOCredentials method across all platform-specific implementations (iOS, Android, Web)
• Integrates the feature into React hooks (useAuth0) with comprehensive test coverage for native platforms

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
src/types/common.ts	Defines SessionTransferCredentials type with session transfer token, expiration, and optional rotated tokens
src/specs/NativeA0Auth0.ts	Adds TurboModule spec for getSSOCredentials native method signature
src/platforms/web/adapters/WebCredentialsManager.ts	Implements web adapter that throws appropriate error since SSO is native-only
src/platforms/native/bridge/NativeBridgeManager.ts	Implements native bridge to call native module with parameters and headers
src/platforms/native/bridge/INativeBridge.ts	Defines native bridge interface with comprehensive documentation
src/platforms/native/adapters/NativeCredentialsManager.ts	Implements credentials manager method with error handling
src/platforms/native/adapters/__tests__/NativeCredentialsManager.spec.ts	Adds comprehensive test coverage for all parameter combinations and error cases
src/hooks/Auth0Provider.tsx	Integrates getSSOCredentials into Auth0 context with error handling
src/hooks/__tests__/Auth0Provider.spec.tsx	Adds comprehensive test coverage for hook integration
src/hooks/Auth0Context.ts	Defines context interface with detailed documentation and usage examples
src/core/interfaces/ICredentialsManager.ts	Defines credentials manager interface with documentation
ios/NativeBridge.swift	Implements iOS native bridge calling credentials manager with parameters and headers
ios/A0Auth0.mm	Exports iOS React Native method bridging to Swift implementation
android/src/main/oldarch/com/auth0/react/A0Auth0Spec.kt	Adds method signature to Android old architecture spec
android/src/main/java/com/auth0/react/A0Auth0Module.kt	Implements Android native module with credentials manager integration

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The headers parameter is accepted but not used in the Android implementation. It's converted from ReadableMap but never passed to secureCredentialsManager.getSsoCredentials(). If headers are not supported by the Android SDK, this should be documented, or if they should be supported, they need to be passed through to the native SDK call.

[Copilot]

The documentation URL https://auth0.com/docs/authenticate/login/configure-silent-authentication references silent authentication, which is a different feature from Native to Web SSO using session transfer tokens. Consider linking to more specific documentation about session transfer tokens or Native to Web SSO if available, as silent authentication typically refers to refreshing tokens without user interaction in the same context, not transferring sessions between native and web contexts.

Suggested change

	* @see https://auth0.com/docs/authenticate/login/configure-silent-authentication
	* @see https://auth0.com/docs/authenticate/login/native-to-web-sso

[pmathew92]

https://auth0.com/docs/authenticate/single-sign-on/native-to-web/configure-implement-native-to-web
doc lonk to native to web

[Copilot]

The example code demonstrates using document.cookie and window.location.href, which are web APIs, but the documentation states this method is "only available on native platforms (iOS/Android)". This is confusing because the example shows web usage. Consider updating the example to show how to pass these credentials from a native app to a WebView or web context, or clarify that the example is for the web context that receives the token (not where getSSOCredentials is called).

[Copilot]

The example code demonstrates using document.cookie and window.location.href, which are web APIs, but this is a native-only method. This is confusing because the example shows web usage. Consider updating the example to show how to pass these credentials from a native app to a WebView or web context, or clarify that the example is for the web context that receives the token (not where getSSOCredentials is called).

Suggested change

	* // Get session transfer credentials
	* const ssoCredentials = await auth0.credentialsManager.getSSOCredentials();
	*
	* // Option 1: Use as a cookie
	* const cookie = `auth0_session_transfer_token=${ssoCredentials.sessionTransferToken}; path=/; domain=.yourdomain.com; secure; httponly`;
	* document.cookie = cookie;
	*
	* // Option 2: Use as a query parameter
	* const authorizeUrl = `https://${domain}/authorize?session_transfer_token=${ssoCredentials.sessionTransferToken}&...`;
	* // Native context: Obtain the session transfer token
	* const ssoCredentials = await auth0.credentialsManager.getSSOCredentials();
	*
	* // Pass the sessionTransferToken to your WebView or browser context.
	* // For example, inject it as a query parameter or via postMessage:
	* const authorizeUrl = `https://${domain}/authorize?session_transfer_token=${ssoCredentials.sessionTransferToken}&...`;
	* // Open the URL in a WebView or browser, or inject the token as needed.
	*
	* // --- In the web context (e.g., inside the WebView) ---
	* // Option 1: Set as a cookie (injected JS in WebView)
	* document.cookie = `auth0_session_transfer_token=${sessionTransferToken}; path=/; domain=.yourdomain.com; secure; httponly`;
	*
	* // Option 2: Use as a query parameter (already included in authorizeUrl)

[Copilot]

The new getSSOCredentials method in WebCredentialsManager lacks test coverage. Since other methods in this class have comprehensive test coverage (including error scenarios in WebCredentialsManager.errors.spec.ts), consider adding tests to verify that this method properly throws a CredentialsManagerError with the correct error message and code when called on the web platform.

[Copilot]

The comment indicates the token type is typically "N_A" for session transfer tokens. This appears to be a typo or unclear notation. If this refers to "Not Applicable" (N/A), it should be clarified or written as "N/A". If "N_A" is the actual literal value returned by Auth0, this should be documented more clearly to avoid confusion.

Suggested change

	/** The type of the token issued (typically "N_A" for session transfer tokens). */
	/** The type of the token issued (typically "N/A" for session transfer tokens). */

[Copilot]

The documentation URL https://auth0.com/docs/authenticate/login/configure-silent-authentication references silent authentication, which is a different feature from Native to Web SSO using session transfer tokens. Consider linking to more specific documentation about session transfer tokens or Native to Web SSO if available, as silent authentication typically refers to refreshing tokens without user interaction in the same context, not transferring sessions between native and web contexts.

Suggested change

	* @see https://auth0.com/docs/authenticate/login/configure-silent-authentication
	* @see https://auth0.com/docs/authenticate/login/native-to-web-sso

[Copilot]

The documentation URL https://auth0.com/docs/authenticate/login/configure-silent-authentication references silent authentication, which is a different feature from Native to Web SSO using session transfer tokens. Consider linking to more specific documentation about session transfer tokens or Native to Web SSO if available, as silent authentication typically refers to refreshing tokens without user interaction in the same context, not transferring sessions between native and web contexts.

Suggested change

	* @see https://auth0.com/docs/authenticate/login/configure-silent-authentication
	* @see https://auth0.com/docs/authenticate/login/session-transfer-tokens

[Copilot]

The documentation URL https://auth0.com/docs/authenticate/login/configure-silent-authentication references silent authentication, which is a different feature from Native to Web SSO using session transfer tokens. Consider linking to more specific documentation about session transfer tokens or Native to Web SSO if available, as silent authentication typically refers to refreshing tokens without user interaction in the same context, not transferring sessions between native and web contexts.

Suggested change

	* @see https://auth0.com/docs/authenticate/login/configure-silent-authentication
	* @see https://auth0.com/docs/authenticate/login/session-transfer-tokens

[Copilot]

The new getSSOCredentials method in NativeBridgeManager lacks test coverage. Since other methods in this class have comprehensive test coverage, consider adding tests to verify that this method properly calls the native module with the correct parameters and handles the response appropriately.

[pmathew92]

@subhankarmaiti , show an example in the Examples.md file for this flow E2E