Keep user logged in across different apps

Hi,

We currently have an issue with keeping user logged in if i.e. - user logs in via native Android app using Auth0, but then he can reach another app, let’s say a responsive website app, where user is taken away from native app to mobile browser, so the issue in here is that user did not have a login session on auth0 sign in (lock) page and is asked to login again. The same question would apply if we have two native mobile apps and one native app takes user to another native app.

I do know about Silent Sign in, which we are using, but that works only if used on the same browser, where it keeps previous login session cookie for the same browser on auth0 lock page.

After a lot of searching I can find only this solution, which is not straightforward:

By the way would this solve the native app to responsive website auto login issue?

Assuming we cannot change the way user logins in the native app, what would be another approach to do seamless login?

Is it the only one possible option - native mobile app posts user’s id_token to responsive website app, where responsive website app decodes and verifies this jwt id_token and uses the decoded payload info to assume that’s the user? (https://auth0.com/docs/tokens/id-token)

Of course, this latter solution does not solve silent sign in issue, if user would land on auth0 lock sign in page - it would be still not aware about user’s session for this new browser.

Can you please verify this information and suggest any ideas and what other approaches are possible?

P.S. It would be nice to have Auth0 api (probably the same as current authenticate with callback is, just extra param like id_token) where you send this Id_token and auth0 verifies it, decodes it and signs in the user, by keeping user’s sign in session on auth0 lock page and of course re-using same callback to send all data as usual, if something like that exists - please let me know. We are using passport-auth0 plugin for auth0 SSO with callbacks.

Thanks,
Egis

Hello, Egis! And welcome to the Auth0 Community.

In order for Auth0 to perform a Silent Authentication, there needs to be a session established within Auth0 itself, which is what we can achieve with Universal Login.

What you mentioned is correct - having a browser-based authentication flow instead of a native login flow would solve this issue, as the session would be captured from Auth0 directly. If you instate a native login flow, there will be no session created within Auth0 itself - only inside your application, and it can not be shared.

Would you be able to give this a try and let us know how it goes? If you have tried it already and you do not achieve the desired results, would it be possible for you to describe, in a step-by-step manner, your authentication flow?

Thanks!

Hi Jose,

We are currently in the situation, where native mobile app will not be changed in the way it authenticates a user, best thing we can achieve for now, native mobile app could share user’s id_token to the responsive website app.

We do use auth0 SSO via customized Universal Login, we have 3 separate web apps and a native mobile app. On web app is easy, as I can try Silent Authentication with prompt=none and under a failure, redirect to Universal Login again having to prompt for user login. So if user journey started from one of web apps and user is on the same browser and as long as web app attempts Silent Authentication it is all good. But if journey started from native mobile app and then user was taken out to responsive web app, this is where session does not exist with Universal Login, in order for web app to know about the user who came from mobile app - would be sharing id_token, so web app could decode the payload and basic user info and of course verify id_token if valid and get basic info about the user, but as long as user will click to from one web app to another web app - it will try Silent Auth again, and will fail, as Auth0 is still not aware about user session.

So is there something like to be able to initiate user session in auth0 Universal Login, by providing only user id_token, where Universal Login does token verification and under success initiates user auth session and redirects back to callback as it would be within normal authenticate flow? In this case, we don’t have to implement id_token verify and decode for each app, and we are able to properly use auth0 SSO across all web apps.

Thanks,
Egis

Hello, Egis,

I don’t think that sharing ID tokens like this would be considered a safe practice. You would also need to establish a safe transportation method and ensure that the token is not tampered with. Auth0 does not receive ID tokens out of the box - you would have to establish a new connection for us to receive ID tokens and interpret them into a user.

As previously mentioned, this issue is due to the specific implementation of Embedded login, and in order to achieve this functionality, I recommend that you consider switching to a web-based authentication flow.

Thanks!

Hi Jose,

Could you please provide more information on this:

Auth0 does not receive ID tokens out of the box - you would have to establish a new connection for us to receive ID tokens and interpret them into a user.

So is there Auth0 endpoint that id_token could be utilized to authenticate user via Universal Login?

Thanks,
Egis

Hello, Egis,

No. We do not receive ID tokens unless as part of an OIDC/OAuth2 flow, which can be set up with a Custom Social Connection.

Thanks!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.