Auth0 Home Blog Docs

AMP (Accelerated Mobile Pages) suggested implementation for SSO

auth0

#1

We are developing the AMP version of our main website.
The main website and other application are already sharing the SSO and we would like to provide the same user experience in the AMP pages.

When the user land in an AMP page, if previously has logged in in another application, we should recognise him/her and do not show the paywall

Problem:
For managing access for a paid articles we use amp-access component provided by the Google’s AMP platform. In a current implementation, AMP page is served from Google Cache servers. On article page visit, it sends an authorization request to our server with user’s details. The request looks like this: https://amp.yourdomain.com/authorization?readerId=…
If a user is not logged in we will show a Log in button, which will redirect the user to hosted auth0 page: https://authenticate.yourdomain.com/authorize?client_id=…

If the user is logged in on another platform we do not want to show a Log in button and want to show article text. But when we receive https://amp.yourdomain.com/authorization request, we are not able to check the user status with auth0 API, because we do not store any cookie on our domain regarding user session.
Also, because of limitations of AMP platform we cannot use the auth0.js library for silent authentication or any other custom JavaScript solutions.

What’re your recommendations for achieving SSO between AMP pages and traditional other applications like SPA or MPA?


#2