How to implement SSO for multiple apps with google as identity provider

We have two SPA and 2 corresponding APIs in auth0 across which we want SSO. Currently, we are using auth0 java library in backend to redirect user to authorize url and using google as identity provider, after logging in, we use the access token to authorize user actions. However, the flow for both apps are separate.

Ideally we would want the user to login to one of the app and then upon login to another we should be able to get access token for that API automatically without them login again. I have been reading documentation around sso but couldn’t find details on how to implement this scenario.

Thanks

Hi @parag.jain,

welcome to the community.

This is a helpful blog post around the SSO mechanism in general:

Regarding how to achieve it, “Silent Authentication” is the keyword to search for.

If you’re using the auth0-spa-js SDK, the relevant method would be:
https://auth0.github.io/auth0-spa-js/classes/auth0client.html#gettokensilently

Hey @mathiasconradt, thanks for the reply. I have gone through this post in the past, however still I was unable to understand how would it be exactly implemented.

We are not using auth0-spa-js, we are using auth0 java client. Actually, I was exploring on how could I achieve this getTokenSilently in the backend. My requirement is user is logged in and I have an access token for a specific audience, I am achieving this using implicit flow by redirecting user to login with google.

Now I want to fetch another access token for the same user but for different audience without prompting him to login. So a build an authorize url like this and redirecting him to the url -

final String authorizeUrl = authenticationController.buildAuthorizeUrl(
        req,
        res,
        redirectUri
    ).withAudience("<different_audience>").withParameter("prompt", "none").build();

here the redirectUri is my callback endpoint where I want to receive the access token. However, upon executing this, I get redirected to - <redirectUri>?error=login_required&error_description=Login%20required&state=lnYCzQUX9HPhYJ9zYDMOzEUXXExw3W2_ytMBC0-cylQ and getting HTTP ERROR 401. This error is described here - Configure Silent Authentication which states that login is required but I have already logged in. I thought auth0 server should already be knowing that somehow but seems like I am missing something, do I need to pass some parameters or cookie in the authorize url and where to get them ?

Thanks