I’m trying to get cross-origin and silent auth to work together. Here’s my situation:
I have two client applications. Let’s call them Outer and Inner. Inner is hosted in an iframe inside of Outer. Previously we had an IdentityServer4 IDP providing OIDC auth, and we were using a hybrid flow to authenticate users to Inner. In the transition to Auth0, that doesn’t seem like it will work, because opening an iframe to the /authorize endpoint returns a CSP header frame-ancestors set not to include the Outer window.
After reading through a bunch of Auth0 documentation, I came to the conclusion that using Silent Authentication was probably the right way to handle authentication inside the Inner application. I have custom middleware set up to send a request to the /authorize endpoint from the back-end, and I’m successfully capturing login status info from the Location header in the response back from Auth0. The problem is that it’s always returning a ‘login_required’ error – even when I’m already logged into my Auth0 account. I suspect the problem is that my back-end system for the Inner client is not sending back Auth0’s cookies when making the call against the /authorize endpoint.
I have my cross-orgin domains set up and I have cross-origin auth turned on for my Inner client. I do have custom domains set up, but we’re running all our clients/apps on localhost in development, so I think it’s still causing a problem with the cookies. I’m guessing everything would be working if this was deployed to an environment running on the same domain as our custom domain.
My question is this: Is there any supported way to configure Auth0 to set cookies that are accessible to my localhost client? Or do I have to edit my hosts file to point my custom domain to my development app?
Bonus question: Will I have to run my local development environment under HTTPS for it to work?