If your client is meant to detect an SSO session, the correct way would be to use silent authentication to detect this. Auth0.js (currently at v8) provides a method renewAuth as documented here to make this flow easier.
The way this flow would work is:
-
Client.com - Client.com (
renewAuthis called on this page) - account.auth0.com/authorize?...&prompt=none
- If the user is logged in:
-
client.com/callback (with access_token, id_token, or code depending on the flow being used (determined by
responseTypein Auth0.js’ config)) - If the user is not logged in:
- client.com/callback#error=login_required&error_description=Login%20required
We have a very simple sample here that illustrates how this can be implemented.