Skip to content

Cross-Context SSO

The cross-context SSO feature simplifies the transfer of OAuth tokens from desktop or device browsers to native apps. You can find more information about this feature and instructions on passing the scanned QR code from the app to the onboarding process here.

Starting with SAP SDK version 25.4, this feature is enabled for both the restore and account creation flows. Let's explore this feature further and discuss its integration into the flows component.

Enable on Cockpit

To enable this feature, find your application in the cockpit and go to the 'Security' section to enable it. Then, copy the 'Onboarding SSO' URL and open it in a browser to get the QR code.

Enable Cross-Context SSO

QR Code Content

The QR code contains the same application information as the one used in the onboarding process but has a different OAuth client, like below:

{
    "clientID": "71dc7fb3-7e70-4690-b733-b6172c064a61",
    "redirectURL": "https://androidsdkqiangz.web.app/oauth",
    "grantType": "password",
    "passcode": "01449fc3c9fc49e4ab6435462bf27611"
}

The grant type is 'password', the passcode property can be used to exchange an OAuth token within 30 seconds after the QR code being scanned.

Onboarding Flow Integration

In the onboarding flow, client apps can either scan the QR code themselves and then pass it to the onboarding process, or start the onboarding process and scan the QR code during the activation stage. In both scenarios, the onboarding flow exchanges the OAuth token with the passcode for authentication. It then changes the grant type property of the OAuth client to authorization_code and removes the passcode property.

Restore Flow Integration

setUserCrossContextAppConfig

In SAP SDK version 25.4, the restore flow adds support for QR codes. However, the client app must pass the QR code before starting the restore flow using the setUserCrossContextAppConfig API. For example:

    QRReaderScreen(
        onClose = {
            navController.popBackStack()
        },
        onPermissionDenied = {
            navController.popBackStack()
        },
        rationaleSettings = PermissionRationaleSettings(
            permission = Manifest.permission.CAMERA
        )
    ) { code ->
        if (!runningState.value) {
            runningState.value = true
            try {
                val appConfig = AppConfig.createAppConfigFromJsonString(code)
                FlowUtil.startFlow(
                    context,
                    flowContext = FlowContextRegistry.flowContext.copy(
                        flowType = FlowType.Restore
                    ),
                    updateIntent = { intent ->
                        intent.populateCustomBundle {
                            setUserCrossContextAppConfig(appConfig)
                        }
                    }
                ) { _, _ ->
                    println("Restore flow done.")
                    runningState.value = false
                }
            } catch (ex: Exception) {
                println("Error: ${ex.message}")
                runningState.value = false
            }
        }
    }

Please be aware:

  • setUserCrossContextAppConfig takes an AppConfig as its argument. Client codes need to handle errors when scanning invalid QR codes.
  • If the restore flow detects the cross-context application configuration, it first logs out to invalidate the current session and OAuth token. Then, it exchanges a new OAuth token using the passcode from the scanned QR code.
  • If the restore flow can't exchange an OAuth token with the passcode, or the OAuth token doesn't belong to the current user, error dialogs appear. These dialogs then cancel the restore flow.

setLoginUserId

In addition to setting the cross-context AppConfig, client codes can pass the login user ID using the setLoginUserId API. Please keep the following in mind when doing this:

  • In a single user profile application, if the login user ID doesn't match the current onboarded user, the restore flow is canceled. An error dialog is displayed.
  • In a multiple user profile application, if the login user ID is found in the local database, the SDK automatically switches to that user. If the login user ID isn't found, the SDK starts the account creation flow automatically.
  • If the login user ID matches the current user but isn't onboarded, the reset passcode flow kicks in.

Scan User QR Code to Renew OAuth Token

SAP SDK includes a feature that automatically renews tokens when the current one expires. It does this by displaying the IDP login page in a browser or a WebView. Starting with SAP SDK version 25.8, clients can also scan the user's QR code to simplify the process. For more details, please refer to Extensions.

Last update: July 29, 2025