Hi, everyone. Is it possible to log into the application without prompting the user the login page?
For example: a user tries to access the application, if the user is accessing it from a certain IP address, the application itself performs the login, without prompting the Auth0 login page to the end user. I’m using auth0-react, btw
Hi @eaugusto,
Welcome to the Auth0 Community!
It is possible if the user already has an existing session with your application, then the user is automatically redirected to your app’s callback URL without ever prompting them for credentials. This is defined as SSO.
However, if the user does not have a session with your application, then they must provide their credentials to log in.
Does that help?
Thanks,
Rueben
Hi, @rueben.tiow. Thanks for the response.
I thought it was possible to have a login flow based on the user’s IP address, for example. Without the need for the user to inform credentials. The application could check the user’s IP and if it is part of a whitelist, for example, he would automatically be redirected to the index page.
Hi @eaugusto,
Thank you for your reply.
Unfortunately, it is not possible to accomplish this because there may be one IP address with multiple users. This would break, and cannot determine which user it should allow to log in automatically. Moreover, this does not follow the OAuth 2.0 protocol.
In summary, users must provide their credentials on the login page to log in to your application.
Please let me know if you have any further questions.
Thanks,
Rueben
I see. But is there a way, using auth0-react, to inform the user’s credentials programmatically?
Hi @eaugusto,
Thank you for your response.
Yes, this is possible by using the Resource Owner Password grant (ROPG) flow.
Though we do not recommend it, highly-trusted applications can use the Resource Owner Password Flow (defined in OAuth 2.0 RFC 6749, section 4.3), which requests that users provide credentials (username and password), typically using an interactive form. Because credentials are sent to the backend and can be stored for future use before being exchanged for an Access Token, it is imperative that the application is absolutely trusted with this information.
Please see our Resource Owner Password flow documentation to learn more:
Thanks,
Rueben
So, now I was able to retrieve an access token through the backend and sent the token to the frontend as a response to the call.
How can I tell Auth0 that the user is now authenticated?
After I successfully made the call to retrieve the access token, I have to redirect the user to the main page of the application and even by doing that with the access token being passed in the header, the application automatically redirects the user to the Auth0 login page.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.