Rarely asked to actually login, i.e. provide a password

fredrogers · 2018-11-04 23:55:25 UTC

New to Auth0 and thought I had successfully incorporated it. I am building an SPA with Vue and Flask API. All I know is that in my testing, each time I “log in,” the user account just goes straight to the callback page without being asked for a password. I click Log Out regularly. The User Detail page shows “Latest Login” was 6 days ago, on the other hand if I go to the “History” tab for that same user, there are dozens of “SuccessLogin” entries all within a few hours ago, a day ago, etc.

Why am I not being asked for a password each time I log in?

nicolas_sabena · 2018-11-05 01:55:32 UTC

Hi @fredrogers
You are not asked to authenticate again because even though you may have logged out of the application, you still have a session in the Auth0 domain. These sessions in Auth0, which are independent of whatever session the application manages, help to achieve single sign-on between many applications that are protected by the same Auth0 domain.
As an analogy, think of Gmail and Youtube. If you open Gmail, you are asked to log in at https://accounts.google.com (Google’s identity provider). If you head to YouTube, you don’t need to type credentials again, because YouTube uses the same identity provider, you still have a session there.

You can control the duration of the Auth0 session at the tenant’s Advanced Settings (look under Login Session Management). You can also log the user out of Auth0 by using the logout endpoint.

fredrogers · 2018-11-05 02:36:07 UTC

But GMail and YouTube are both owned by the same company and use the same user account. What you are describing is, someone logs into some other web site on the other side of the world that just happens to also use Auth0, and now they have a valid session on my application because I also utilize the Auth0 domain for login services. Or vice versa.

Maybe I am mis-interpreting you, but it sounds like you are prioritizing the Auth0 domain over the individual domains of your customers, i.e. the application developers, in the sense that valid sessions outlive the logout requests on the customer domain.