Currently, the InAppBrowser does not allow for SSO as it cannot share state and therefore sessions with the system browser. I did manage to get this working by forcing the Keycloak adapter to be the default one instead of the Cordova adapter, but this has its own drawbacks, namely:

• Slightly changing the default adapter to make it suitable for mobile. This would either require having our own fork of Keycloak or trying to get these changes merged upstream (unlikely to be met with approval as the default adapter is not designed to be used with mobile apps)
• The use of iframe, which causes some stuttering on mobile apps. The user experience here is not the best.
• A slightly fragmented authentication process in our sdk which in my opinion could confuse developers.

I then started reading through Keycloak JIRA issues and the mailing thread to see if they were planning any work around this. I found this mail which lead me to this PR which looks to address this exact issue and also has the support of Keycloak's main contributor. I have tried it out and it seems to work pretty well.

In my opinion we should wait to implement SSO until this work has landed and once the linked PR is merged and released then the changes on our side will be trivial to implement. Looking at Keycloak's release cycle it could be 3-4 weeks before this is available, depending on how fast the PR is merged, but as I said I have tried it and it works so it is hopefully not far from ready now.

Wei Li, what do you think?