We got 3 apps (SPAs and corresponding API apps) all under the same tenant, but each with its own connection/database. We have users that have access to 2 or more of these apps (potentially using the same email, but still 2 different accounts as they’re separate connections). We’ve been recently notified that our users can no longer (apparently they could in the past) be logged into two or more apps at the same time.
The behaviour is as follows:
User logs into App A, they can use the app normally.
User proceeds to open a secondary tab and log into App B. Login is successful and they can use the app normally.
User switches back to App A, and they can still use the app without any issues (possibly because it’s a SPA and doesn’t do post backs…?) , however if they refresh the browser, App A will prompt them to log in again. App B can be refreshed several times and still work normally.
User logs back into App A, everything is fine
User switches back to the App B tab, and after refreshing the browser, App B forces the user to log in again.
repeat 2-5
What could be the reason for this behaviour? We have a a few sign in rules that do stuff like adding claims to the JWT (but not for all apps, so we have some logic around that), add the email address to the JWT, enforce geo-locking and also require MFA only once.
We made a release recently which change the logic of the “adding claims” rule but nothing special, and the “adding the email” rule was also added this time. Non of these changes look like could cause the problem.
We’re in the process of unifying the connection so they can “SSO” between these apps, but it’s not happening just yet.
Do you use silent authentication for these apps (which relies on the auth0 cookies sent to a user browser so that after refreshing the page the user doesn’t need to reenter credentials to receive new token/retain a valid session)?
Silent authentication returns response from the https://subdomian.xx.auth0.com/oauth/token
with auth0 cookies.
Can you compare these cookies’ values between sessions of App A and app B before any refreshing happens? Are they different?
What comes currently to my mind (but would require some further investigation) is if they are different, the former cookie value for the app A session might be considered as invalid by Auth0 after a new one (for the app B session) has been sent to the browser so the silent authentication for the app A can’t happen.
We could also check what would be the behaviour is we try to reproduce it with one shared for these tow apps connection.
To test it, could you please:
create a test connection (with “sign up” disabled to prevent random users logging in), enable it for these two apps and add manually a test user there,
log in on a single machine to these two apps and check if you can reproduce the reported behaviour?
Another thing we could check is if you can log a specific for silent authentication error codes while reproducing the behaviour. Based on this doc, if silent authentication fails due to some actions (actions are a replacement for rules as they will be soon deprecated), you would receive [interaction_required].
To further investigate it, I have set up locally 2 SPAs relying on the silent authentication with their corresponding APIs under the same Auth0 tenant, without any rules / actions, under the below settings:
Each having different connection enabled (one Auth0’s database and the second one passwrodless). The result is as you have described - users have to log in to these two apps separately AND reenter credentials after each page refresh. This seems to be an expected behaviour thus I think the users experiencing it for the first time might just started recently using more than 1 apps at the same time.
Both having the same connection enabled (I chose the Auth0 database). The result is that users have to log in for the first time to both apps separately (prompting users for consents needed by the two different APIs) and after that, reentering credentials is not needed by any of the apps after page reloads. The corresponding cookies are still different for these 2 apps, but starting a new session in the second app doesn’t impact the former session in the first app. Potentially you could consider it as a temporary workaround.
Hope this helped! Please let me know if you have any questions!
I’m actually not to bothered with the functionality as it is. We’re in the process of making all these apps use the same connection so it won’t be an issue for our clients in the future.
Want to join our next Community Interactive Q&A with our experts? This time we’re gonna talk about Auth0 Terraform Provider