I’m a little confused about how to log a user in, and then once the token response is received, redirect them to another portal.
I’ve explained my question on stackoverflow, any help would be greatly appreciated!
There are a lot of pieces here.
First, the access token is used to access an API, but I don’t see that you have an API. So I think this is not germane to your issue.
To summarize:
- You have a legacy app with legacy IDP and you don’t want to change this
- You have a new app that you want to use with legacy credentials
- You have a third app that you want to have SSO with the new app
The easiest approach is to make an Auth0 custom DB connection that connects to your legacy IDP. Then your new app and the third app use this connection, and you will get SSO. And also your legacy app stays unchanged.
John
1 Like
Hi John, sorry there are only 2 applications here. Our login portal and a new website we are building which is in Blazor, which will become one of our new products. The only place a user should be entering a username and password is our login portal. We have already configured the custom DB connection and it all works fine if we use your universal login screen which we cant for the legacy app.
My question is, how do i take the username and password that has been submitted in our legacy login screen, and send this up to auth0 for authentication, and upon successful authentication redirect them to our new Blazor website, which is configured already to expect an auth0 user to arrive.
I think you will have to change the legacy app to use a redirect flow (use the Universal Login page). You want SSO between your two apps, and to do so, you need a session. To create a session (which is a cookie in the Auth0 tenant domain), you have to use the Universal Login Page.
John
1 Like
Hi John, thanks for coming back. As I said, we cannot use your universal login page, for our own business reasons. Can you confirm or deny that there is a way of getting this cookie using an api instead, so i can take the username and password, hit an endpoint, get the cookie and redirect the user to our new website. If you can confirm this is 100% no possible, i will have my answer, and we can look at other authentication providers.
Hi John
Cookies do not work via API, they are set by the browser via HTTP headers - this is not Auth0, this is just how cookies work.
Handling passwords yourself is a security risk - it is not necessarily vulnerable, but anytime you deal with passwords, you must take extreme care to protect them. Dealing with the passwords AND implementing SSO between the two apps yourself creates a lot of attack surface area for an attacker to utilize. Again, you can implement this securely, but it takes extreme care.
With Auth0, SSO is handled via the browser session cookie, or alternatively by refresh tokens. I don’t recommend going outside these approaches due to the risks mentioned above.
John
1 Like