So we have a central PHP-based portal using Universal Login all working.
Once logged in the user is shown multiple applications from Auth0 if they have the required roles, etc. User clicks on one of these applications, the app opens in a new tab and logs the user in via Universal Login.
We want the user to be logged out of all applications that are open when they log out of the portal, we’ve done this using IFRAMEs on the portal logout process.
All working fine up to this point.
Now, if I log in to the portal and then click on an app from within the portal, it opens a new tab, authenticates with Auth0 and (if already logged) everything works great and the app shows the user details.
What I want to do is if an app is opened without the user logged in, I want it to instead redirect the user to login via our portal and then click on the requires app in our portal. At the moment, if the user is not logged in, the app prompts the user to login via Universal Login in the app.
I can’t find any way to say something like:
Use Universal Login to log the user in if a session exists
If no session exists, just return something back or redirect to a URL and DO NOT prompt the the user log in.
Assuming that in these client apps, there is a “login” button visible for end users only if they are not logged in (they have no valid session), you can check how you handle the click event for this button.
For example, in this SPAs related doc, clicking the login button invokes the loginWithRedirect() [a call to Auth0’s /authorize endpoint] to the auth0’s login page.
<button id="login">Click to Login</button>
//redirect to the Universal Login Page
document.getElementById('login').addEventListener('click', async () => {
await auth0.loginWithRedirect();
});
You can try to adjust it to redirect users to your centralised php login portal URL instead, where they can start the proper authentication flow. However, I’m not sure how that would affect the rest of your authentication login flow (you may potentially refer to the login with redirect later in your code).
In general, in these client apps, you may want to review what’s going on around checking the authentication status [isAuthenticated() method] and if you can see the login with redirect to the Auth0 there, which is unwanted in your case.
The problem is that we do not want the third party application to show a Universal Login prompt, if the user is not authenticated it should redirect back to the portal. We want the portal to be the only place where the user can actually login.
As the user would have logged into the portal and not the third application, the isAuthenticated will not work until we use the “loginWithRedirect” method with the third party application and that prompts the user to login if they are not already logged in. We want the user to go back to the portal to login.
We kind of need a “checkLoginOrReturn” method which does everything “loginWithRedirect” does but just returns back an error if there is no session.
What I meant there is that you may want to try replacing the loginwithredirect() with you custom logic. In case of the login button click handling, replacing the auth0.loginWithRedirect() with the logic that simply redirects users to your php app. So clicking the login button on your client app only redirects users to another app (your php app) instead of initiating authentication flow with Auth0.
I understand - the problem is that isAuthenticated is always FALSE until the loginWithRedirect method is used.
So if I log into the portal and then click on a 3rd party app (which opens in a new tab), isAuthenticated is FALSE within the 3rd party app until the loginWithRedirect method is used. As the user is actually logged in (via the portal), using loginWithRedirect returns the user back to the 3rd party app and isAuthenticated is now true.
The problem is if the user has not logged in via the portal, loginWithRedirect then prompts them to login within the 3rd party app.
How do we check for an authenticated session created using another application?
The problem is if the user has not logged in via the portal, loginWithRedirect then prompts them to login within the 3rd party app.
I think that what you may be looking for is to set your php central login portal as a custom identity provider which would have to be registered in your Auth0 tenant as a custom connection and allowed for your apps. And for the login with redirect → authorization params → you would set the connection=name_of_your_custom_IdP so users that are not logged in would be redirected there.
You could also search the library of the Auth0’s sdk in use to see what methods are available to check the user session. For example, checkSession() relies on auth0 cookies stored in the end user browser.
Want to join our next Community Interactive Q&A with our experts? This time we’re gonna talk about Auth0 Terraform Provider