I’m currently not using Universal Login. I could easily turn it on in Wordpress.
SSO works whether that option is on or not. In the near future, it will be required for the plugin if you’re doing SSO but, for not, it is not.
Both apps are pointing to the same tenant but they are on different virtual hosts (Apache).
That’s perfectly fine. Your SSO session is with Auth0 and can be checked from either application.
My understanding is that there are only two ways for browser to authenticate. Either via cookie or a token.
This is getting a little foggy. Token authentication is typically used for accessing an API. Our WordPress plugin authenticates with Auth0 and, if successful, sets the core WordPress session cookie. After that process is done, Auth0 is basically out of the picture until the WordPress session expires or you logout. I don’t know how your Angular app is built but if you have a backend that can handle the authentication process, this is the flow you want. If it’s a pure single-page app, it’s this one.
Because i’m not in control of Wordpress cookies i thought passing a token via URL would be an idea.
You definitely don’t want to include a token in a URL for any reason. That will end up in your browser history, server logs, etc. I’m confused about why WordPress would be doing the authentication for your Angular app.
Again, regardless of the session in either application, you’ll have a session with Auth0 once you log in. So if you login to WordPress, you’ll have an Auth0 session and a WordPress one. The Angular app can check for the Auth0 session using silent authentication. If you login to the Angular app first, then you can turn on the SSO feature in WordPress and when users visit the
wp-login.php page, they will be logged in automatically.
Hope that helps a bit!