Using silent authentication with React

I have two sites created with Create-React-App using React-Router-4.

site1.mydomain.com

site2.mydomain.com

Each site is using the same Single Page Application client on the same Auth0 account. I followed the Auth0 react example and have a separate class for auth0-js v8 functionality. The sites can login and authorize between the two.

I am trying to get site2.mydomain.com to automatically logout the user when the user logged out of site1.mydomain.com. The logout is executed by calling the logout() method on the webAuth api. I see some examples of using renewAuth to check to see if the user has logged out of Auth0. I am not sure how to properly implement the auto logout functionality. I noticed an example of using a setInterval to periodically check renewAuth(). Any tips or examples of this functionality in React would be greatly appreciated.

If both applications are already following the approach of authenticating through the hosted login page and then using renewAuth to get renewed tokens then the approach you mentioned about using that method for detecting logout is basically the same. Since another application has triggered the logout the next renew call will fail and you can interpret that as a logout. However, this will work if you don’t require an immediate logout across all applications, more specifically, doing a renew call every twenty minutes is already very frequent, but acceptable; doing a renew call on the seconds scale will likely just get you rate limited or considered abusive.

At this time, there’s no built-in way for other applications to be actively notified of the logout operation triggered at the identity provider when using OpenID Connect, however, the specification contemplates such mechanisms and I can inform you that we are considering implementing some of those. However, I can’t provide a definitive timeline for that.

The alternative which would give you the sense of immediate logout would be to orchestrate that notification at the client application level, however, this also implies that you control all the applications that need this immediate logout and you would also have to find a suitable communication channel. For example, if all applications leave in subdomains of the same parent domain you could consider using cookies for communication.