Hello, we are trying to implement one login for multiple apps, all of them written in NodeJS and we are using express-openid-connect, but also have a list of excluded users for e2e purposes.
We have: app1, app2, but we also run the application in localhost, for example: localhost:3000 & localhost:3001, and the e2e@email
excluded from MFA.
What we did:
- Create 1 regular web app, with all the domains in it (Require Multi-factor Auth is None)
- We created one action Post Login with the following code:
...
if (
event.user.user_metadata &&
event.user.email &&
!e2eTestUsers.includes(event.user.email)
) {
api.multifactor.enable('any', { allowRememberBrowser: false })
}
Steps to reproduce the expected behaviour:
- Go to app1 (domain) and we should be redirected to login page.
- We enter our username and password + MFA
- We visit app2 and we should be able to use it
Actual result:
- When going to app2 we are redirected to the login page to enter the MFA code.
What are we doing wrong? How can we get this working to avoid having to enter the authenticator code whenever we change the domain?
Thanks!