Auth0 Home Blog Docs

OIDC compliant SSO not working for me

sso
sso-integrations
oidc
oidc-conformant
not-working

#1

I have been trying to implement OIDC-compliant SSO between 2 client applications and it just won’t work.

  • CLIENT 1: NodeJS web app
  • CLIENT 2: Angular2 SPA
  • SERVER 1: NodeJS REST API

Each client application has its own corresponding Auth0 Client configuration and is configured to be OIDC Conformant from the dashboard. The API has a corresponding Auth0 API configuration. Both client applications use the Auth0 Hosted Login Page to perform authentication.

The problem is that when I log in to Client 1 and then I navigate over to Client 2 and login, Client 2 goes through the full authentication flow. It is as if it knows nothing about the fact that I just logged in to Client 1 with the same user account.

I’ve been troubleshooting this for a few days. This is not a matter of me using the Google or FB development keys. I have my own custom application IDs for both.

For Client 1, I’m using the node auth 2.7 package and the auth0-oidc passport strategy. The authentication code looks like this.

app.get('/login',
    passport.authenticate('auth0-oidc', {
        clientID: auth0Config.clientId,
        domain: auth0Config.domain,
        redirectUri: auth0Config.redirectUrl,
        audience: auth0Config.audience,
        responseType: 'code',
        scope: 'openid'
    }),
    function(req, res) {
        res.redirect('/'); 
    }
);

For Client 2, I’m using auth-js 8.8.

  auth0 = new Auth0.WebAuth({
    clientID: AUTH_CONFIG.CLIENT_ID,
    domain: AUTH_CONFIG.CLIENT_DOMAIN
  });

this.auth0.authorize(options);

Is there anything obvious about my approach that is causing my SSO failure?


#2

In my troubleshooting, I have also tried using renewAuth() from Client 2

  silentLogin() {
    let options = {
      responseType: 'token id_token',
      redirectUri: AUTH_CONFIG.REDIRECT,
      audience: AUTH_CONFIG.AUDIENCE,
      scope: AUTH_CONFIG.SCOPE,
      usePostMessage: true
    };

    this.auth0.renewAuth(options, this._handleAuth);

and SSO still fails with an error,

{
  error: "login_required",
  errorDescription:  "Login Required"
}

Does this provide any additional insight?

I do have a redirect rule. Could that be a source of interference?


#3

You seem to have covered all your bases, but just confirming, have you enabled the Use Auth0 instead of the IdP to do Single Sign On in the client settings?


#4