I have been trying to implement OIDC-compliant SSO between 2 client applications and it just won’t work.
- CLIENT 1: NodeJS web app
- CLIENT 2: Angular2 SPA
- SERVER 1: NodeJS REST API
Each client application has its own corresponding Auth0 Client configuration and is configured to be OIDC Conformant from the dashboard. The API has a corresponding Auth0 API configuration. Both client applications use the Auth0 Hosted Login Page to perform authentication.
The problem is that when I log in to Client 1 and then I navigate over to Client 2 and login, Client 2 goes through the full authentication flow. It is as if it knows nothing about the fact that I just logged in to Client 1 with the same user account.
I’ve been troubleshooting this for a few days. This is not a matter of me using the Google or FB development keys. I have my own custom application IDs for both.
For Client 1, I’m using the node auth 2.7 package and the auth0-oidc passport strategy. The authentication code looks like this.
app.get('/login',
passport.authenticate('auth0-oidc', {
clientID: auth0Config.clientId,
domain: auth0Config.domain,
redirectUri: auth0Config.redirectUrl,
audience: auth0Config.audience,
responseType: 'code',
scope: 'openid'
}),
function(req, res) {
res.redirect('/');
}
);
For Client 2, I’m using auth-js 8.8.
auth0 = new Auth0.WebAuth({
clientID: AUTH_CONFIG.CLIENT_ID,
domain: AUTH_CONFIG.CLIENT_DOMAIN
});
this.auth0.authorize(options);
Is there anything obvious about my approach that is causing my SSO failure?