How do I maintain the Auth0 session on the device that displays the authorization URL? It does successfully get the session using webAuth.checkSession if I do it within the same browser, which leads me to believe it isn’t possible for a phone to login and the device to store that session.
Hi @brgzingler ,
I understand you’re trying to maintain an Auth0 session across different devices - specifically between a phone where the login happens and another device that needs to maintain that session.
You’re correct in your observation. This is fundamentally challenging because:
- Auth0’s
checkSessionworks within the same browser context because it relies on browser cookies/storage - The authorization flow happening on the phone creates a session specific to that device/browser
But I am curious to know, what use-case or experience you trying to solve?
@sumansaurav I am trying to create a QR code login flow for a display that is running a web app. When users login on their device, I want the session to persist on the display, ideally across subdomains as well meaning we would need cookies. I was hoping for some sort of function in the auth0 SDK to exchange the access token to create a session, but so far my solution has been to just store the id_token, expires_at and refresh_token in local storage, and then just check expires_at to see if the users session is over. When it is over, I use rotating refresh tokens to create a new session. I am not sure if local storage is the correct option for this however.
Hi @brgzingler ,
If I am understanding correctly, you are trying to implement Client-Initiated Backchannel Authentication Flow.
Look at this documentation and let me know if this fits your use case.
I’m not sure this is quite what I am looking for. This isn’t for a mobile app so I have no way of sending push notifications; there must be a QR code that the user can scan with a device to authenticate when the user presses sign in on the display, similar to how Roku apps authenticate. This is confusing to me because there is surely a way to do what I’m trying to do with the Device Authorization Flow. The only difference is that I am doing it on a website in the browser, not in an app. Thank you for the response, though!