How to allow a secondary login without overwriting the current logged in user

Get Help
,
1

Greetings,

I have a working SPA app where I need to login two users - the first one will login with the Universal Login prompt, this login will set the Auth0 authentication cookie and its not a problem. The second login is a manager login on the same browser/app session. We don’t want the manager login to override the existing Auth0 cookie. If there a way we can get the managers token without setting the Auth0 cookie?

Thanks,
Sean

3

Hi @sgalland,

Welcome to the Auth0 Community!

To get a token for the manager without overwriting the primary user’s session cookie, you must use a non-browser-based flow. The recommended approach is to use the Resource Owner Password Grant (ROPG), proxied through your own secure backend.

Instead of redirecting the manager to the Universal Login page, you can implement the following:

  1. Create an In-App Manager Form: In your SPA, create a separate login form (a modal or a dedicated view) that asks for the manager’s username and password.

  2. Send Credentials to Your Backend: When the manager submits this form, do not send the credentials to Auth0 directly. Send them to a new, secure endpoint on your own backend API (e.g., /api/manager-login).

  3. Use ROPG from Your Backend: Your backend service, which must be a confidential client (like a regular web app), will receive these credentials. It will then make a secure, server-to-server call to the Auth0 /oauth/token endpoint using the Resource Owner Password Grant (ROPG).

    • Grant Type: password
    • Username: The manager’s username
    • Password: The manager’s password
    • Client ID: Your application’s Client ID
    • Client Secret: Your application’s Client Secret

  4. Receive Token on Backend: Auth0 will validate the credentials and, if successful, return an access_token and id_token for the manager directly to your backend. This entire exchange happens without a browser redirect and sets no cookies.

  5. Return Token to SPA: Your backend API endpoint (/api/manager-login) then returns the manager’s access_token in its JSON response to your SPA.

  6. Manage Tokens in SPA: Your SPA now has two tokens in memory:

    • The primary user’s access_token (from the initial Universal Login).
    • The manager’s access_token (from your custom API call).

Your application can now choose which token to use in the Authorization header for API calls, depending on whether a “manager” action is being performed.

See this for calling API’s using ROPG.

If you have any further questions, please don’t hesitate to reach out.

Have a good one,
Vlad