How do I correctly implement and detect SSO sessions with the new API Authorization features?

With the old flows, I was just using Auth0.js’ getSSOData method to detect if an SSO session existed, and if so, I would redirect to Auth0 to automatically log the user in.

I’ve heard that using getSSOData is discouraged now, but I can’t figure out what the “correct” way to detect this. Please note that I’m talking about the Auth0 session as mentioned in this document.

If your client is meant to detect an SSO session, the correct way would be to use silent authentication to detect this. Auth0.js (currently at v8) provides a method renewAuth as documented here to make this flow easier.

The way this flow would work is:

• Client.com - Client.com (renewAuth is called on this page)
• account.auth0.com/authorize?...&prompt=none
• If the user is logged in:
• client.com/callback (with access_token, id_token, or code depending on the flow being used (determined by responseType in Auth0.js’ config))
• If the user is not logged in:
• client.com/callback#error=login_required&error_description=Login%20required

We have a very simple sample here that illustrates how this can be implemented.