Single Log In Across Multiple SPA Applications Without Relying on 3rd Party Cookies

Problem statement

When SSO is implemented, what happens when third-party cookies disappear on B2C websites? Our current configuration is the following (depending on the browser):

  • Log in to website 1 - user is automatically logged into website 2
  • Log in to website 1 - user is logged into website 2 without filling out credentials, although they do need to click on the login button.

Our technical implementation is the following:

  • When landing on the website, the Auth0 client is set up and calls the getTokenSilently function
  • If there is a token, it is set in a cookie

Cause

When a 3rd party cookie is available, silent authentication can be leveraged to check if the user has a session with the Auth0 layer.

This does not work on browsers where 3rd party cookies are disabled; for example, Chrome Incognito Window, Safari, etc. An Auth0 tenant stores its session in a cookie. The tenant and applications belong to different domains.

Solution

Here are two potential solutions:

Leveraging the “cookieDomain” option

If applications share a parent domain, leverage the “cookieDomain” option:

This will ensure the cookie is accessible across multiple subdomains.

Redirect the users to the Universal Login Page

Redirect the users to the Universal Login Page when an Application is loaded. If the user has a session, they will be redirected to the app without inputting a password. After that, you can rely on the refresh token.

NOTE : Only do this once when an Application loads; redirecting users while they are browsing the page will damage the user experience.

try {
  await auth0Client.getTokenSilently();
} catch (err) {
  console.log("[Silent Auth]", err);
  console.log("[Silent Auth] Cannot get token silently. Redirecting...")
  await auth0Client.loginWithRedirect();
}

try {
  await auth0Client.handleRedirectCallback();
} catch (err) {
  console.log("[Redirect Callback]", err);
}

NOTE : This implementation does not ensure Single Log Out. Single Log In and Log Out are different things.