Chatmasta's (OP) flow is not incorrect, he just didn't describe it all. It is perfectly valid. The issue comes when the SDK opens the auth server's authorize endpoint in a WebView. In all cases, if the user is not authenticated with the auth server, he will need to log in. Technically this should be done via a browser redirect on the same page, not a WebView. So instead of the SDK opening a WebView, it should redirect the full browser window to the auth server's authorize endpoint, which will prompt the user to authenticate if he doesn't already have a session.
This is a problem with mobile apps unfortunately, since this type of browser interaction is going to be all over the place. For web apps it works just fine.
This is a problem with mobile apps unfortunately, since this type of browser interaction is going to be all over the place. For web apps it works just fine.