Hi,
Im trying to implement authentication using auth0 which is being served under a different domain.
Using getAccessTokenSilently is critical as the user may already have a session that could have been initiated from a different auth0 application from our organization.
Using Chrome, it all works fine and we’re able to get the token from various apps if user has logged in on any of the tenants.
The problem arises when we switch to Chrome Incognito or to browsers where third party cookies rules are more strict.
I’ve come across some other topics where people suggest using refresh tokens and local storage, but that cannot be done for my case. Refresh tokens is ok, but definitely not enough.
Why cant I use localstorage?
If the user logs out on any of the other tenants and gets back to one of the applications which uses localstorage, the user will still be logged in because the token still lives in the browser, which is incorrect.
What are the possibilities for this problem?
Ideally, backend could use an endpoint such as /introspect in order to validate the token present in localstorage but as far as Im aware this is not possible using auth0.
what solutions do we have left?