We want to make a web view that will need a users access token to do calls to our API. The web view will be integrated into various applications. This web view will display a sign-in prompt, and successful authentication will give our system access to other systems on behalf of the user. So the application need the user's access token ... in some way.
We are considering using the postMessage API for this task, but I have a few questions:
Is postMessage a good fit for these kinds of web view apps, or will we meet a dead end somewhere, or lack certain features, or not be able to handle certain use-cases with postMessage?
I've noticed that some web views first require a POST call to an API to authenticate the user, after which it returns a URL to a web view with a session. Why is this approach commonly used? What are its benefits and drawbacks compared to using postMessage? It seems like more hassle.
So I've looked around for a few days and it seems like using postMessage to inject tokens into an integrated web view is an OK alternative...
However, an experienced developer told me that if developers want to open the webpage in SafariViewController (iOS) or Chrome Custom Tab (Android), or in the system browser, it can be more difficult ... idk, would think it was possible, but it seems like creating a URL gives the best developer experience.