RN isn’t a browser context so doesn’t have built-in cookie management. If you’re using OAuth2, I think the simplest thing to do is to extract the access token you get in the response and then inject that into each request you make.

I see. But when I perform the redirect to my app, I don't see how I can fetch the cookie to store it in the first place. My oauth2 flow is like this: • request to http://localhost:9500/oauth/google/login • after login success with google, redirect to my server end point /oauth/google/success • in the handler of the success, I use the access-token to fetch user info, store in db and add user name and permission to ring session • I then redirect the request (with the session that would be put in a cookie by ring) to my home page of my website (this work) or to the home screen of my app via Linking my-app:// and this prompt me if I wanna go back to the app after google login and if click yes it goes back to the app. However, in the mobile app, I need to retrieve the cookie somehow to read user from it and store it somewhere as you mentioned. You said, RN does not store cookie for me, but how can I get the cookie from the response? I tried using @react-native-cookies/cookies but without success. To open the oauth/google/login, I used

#(.openURL Linking "")

I think what you’re looking for is the URL string in the redirect back to my-app:// — you should be getting something like

This is what my session looks like on the server with what google returns:

{:oauth2/access-tokens
 {:google
  {:token "access-token"
   :extra-data {:scope " openid ",
                :token_type "Bearer"}
   :expires #object[org.joda.time.DateTime 0x4d5fe305 "2023-03-03T02:53:11.146Z"]
   :id-token "id-token"}}
 :user-id "user-id" ;; my own addition
 :user-roles (:editor :admin) ;; my own addition
}

secret_token was just made up, I haven’t worked with the Google OAuth implementation in a while so I don’t remember exactly what the params are. The token and id-token are injected into your session by your web server, which is interpreting the params in the redirect request it gets (e.g., ). So in your app, you need to capture that string when it’s used to open your app after Google redirects you back.

Thank you very much for the clarification. I tried to add an eventListener on the Linking in the frontend react native like so

(.addEventListener Linking "url" (fn [url] (println url)))

(str "my-app://?id-token=" (-> session :oauth2/access-tokens :google :id-token))

Hm, that event listener fn you have looks fine to me, and should print your url to the console. Can you double-check that the event listener is being added (maybe add like (println "adding event listener") just above)? It’s possible it’s being added in the wrong place, or you need to restart the app, or something similar.

Ok, I can finally capture the string. The code was not the problem, I needed to add some config in :

#import <React/RCTLinkingManager.h>

/// listen to incoming app links during your app's execution
- (BOOL)application:(UIApplication *)application
   openURL:(NSURL *)url
   options:(NSDictionary<UIApplicationOpenURLOptionsKey,id> *)options
{
  return [RCTLinkingManager application:application openURL:url options:options];
}

@U0E1JV8GK, I ended up writing a https://github.com/skydread1/flybot.sg/blob/master/server/src/flybot/server/core/handler/middleware.clj#L33 to get the ring-session cookie created by ring and passing it to the url in case the redirect Location is my-app:// and then I am able to capture this ring-session via the Linking Listener. To store the cookie on mobile I used https://react-native-async-storage.github.io/async-storage/docs/install/. It returns Promises, so I had to add additional re-frame dispatch in the Promise.then() to be sure my cookie is pulled before the app is initialised (http request to get post, user etc). Passing the cookie in the request was quite straight forward, I just added :headers {:cookie my-cookie} to the :http-xhrio fx for all the requests that require a session. I just wanted to explain what worked for me for future reference in case someone is facing the same issue. I am wondering if it is safe to just store the ring-session in AsyncStorage just like that? On my clients (web or mobile), I don't even read the value of the cookie I just pass it to every request and all the verification is done server side. Even my oauth2 redirect is actually not going to the client directly with the code but back to my server that would put tokens + some user info in the session for ring to encrypt in ring-session. I hope it is a correct way to do it. Thank you again for the help

AsyncStorage should be fine, it’s sandboxed to your app, so not available to anyone else.

Glad you got to a good solution!