Implementing autologin in sister domain, when session is active in main domain

We’re implementing SSO so our users can sign up / log in irrespective of the domains they are currently browsing to. We control all these domains, as they’re our sister sites.

We have already implemented Proof of Concept using a couple of domains and the latest React Sample App (we use React for our frontend).

Domain1: sso.maindomain.com

Domain2: childdomain.com

If you navigate to Domain1 and login, you will be redirected to Auth0 universal login and once valid credentials are inputted, you’ll get redirected back to Domain1.

This works fine.

However, if I were to then navigate to Domain2, I’m not logged in. I have to click on Login button, and then session is established (without having to enter credentials again which is great).

However, we’re looking for a more seamless experience, in which users will not have to even click on a Login button to get signed in, but will actually be signed in automatically.

This is exactly what Google does when you sign in at gmail and then navigate to youtube. Even with no cookies originally in there, Youtube page will appear to the user as already logged in.

Is this supported by Auth0 ?

This should be doable although it would be best if you can clarify something; in your current setup, the Login button the user has to click is shown where? Is it shown by the application in domain2 or is it shown by a page associated with the Auth0 service?

2 Likes

Thanks for your prompt reply. This login button will be part of our application (so in domain1 and domain2), and will be shown everywhere in the header (very similar to the sample project) so it’s always available if users want to login. Clicking on this login button is what fires the auth0 redirect.
If user is logged in, his username is shown instead of the login button.

If the login button being displayed is at the application level so from the point of view of the Auth0 tenant configuration the seamless SSO configuration seems to be setup correctly as you mention that when clicking login in the second application they do get logged in automatically.

With this in mind, a possibly simple solution would be to have all application automatically start a login request when they are accessed. This would mean accessing the first trigger the login page to be shown and after if the user accesses the second application they would get automatically logged in.

However, the above although simple for a client application to implement may also have it’s drawbacks. If the user accesses both applications without completing a login they will get the login page shown in both and they will have to complete both (for example, opening two browser tabs at the same time).

Another alternative would be doing that automatic request with prompt=none (https://auth0.com/docs/authorization/configure-silent-authentication) so that if the user does not have a previous session control will be returned back to the client application. This would allow to have the following:

  • if there’s already a session doing the prompt=none will return a response that you can use to login the user automatically.
  • if there’s NO session, you get an error response so you could render your application as an anonymous user and include a login button.

In conclusion, this is possible, but the exact implementation may depend on the client application and even on your preferences.

1 Like

Actually that’s very helpful. I can use prompt=none to change the behaviour based on the route in my application. If it’s a route that supports non-logged in users it will just show login button instead of redirecting them to auth0 login.

1 Like