Just a followup for anyone else struggling with this. I’ve ended up getting a decent implementation going.
I set up a /api/auth/silent route on my auth0 handler that takes in a redirect query param and fires off a login attempt with prompt=‘none’ with that redirect url set as the returnTo on the authorization request. When it comes back through my callback handler I detect the specific error codes for this silent auth situation and just swallow the error, redirecting them to the returnTo route anyway.
This way I can proxy all bounces between my subdomains via this api route to log them in if they have a session in any of my subdomains by sending them to api/auth/silent?redirect=/blabla
It doesnt handle users manually bouncing between the subdomains and auto logging them in though I dont think that’s possible without triggering silent auth on every page load or polling it, both of which sound too network-chatty and expensive.
Hopefully this helps someone, you should be able to follow the same pattern for any server side auth0 SDK that has some way to do silent authentication, or for browser based auth SDK’s they expose a checkSession method that you could use from the client app to do the same thing without needing a proxy api