SSO across multiple SPA apps

Hello! I am having trouble with SSO across 2 of my SPA apps.

app1.domain1.com - has private & public routes
app2.domain2.com - has all private routes

My apps are currently on different top level domains and they each have their own auth0 application. When I log into app2 and navigate to app1 I am not automatically logged in when calling checkSession (from auth0-spa-js lib).

I noticed when I log into app2 I get an auth0.[clientId].isAuthenticated cookie. Does this cookie need to be present on app1 when it loads to automatically be logged in? If so, does this mean the apps need to be on the same top level domain so I can use a cookieDomain of .domain1.com. And do I need to share a single auth0 application across both apps so the apps use the same auth0.[clientId].isAuthenticated cookie?

Thank you

I ended up putting both apps on the same top level domain and have both apps using the same auth0 application (so the apps share the same clientId). So my example is now

app1.domain1.com - has private & public routes
app2.domain1.com - has all private routes

With this setup I was able to use .domain1.com as the cookieDomain parameter I pass into the auth0-spa-js lib. Both apps now can share the auth0.[clientId].isAuthenticated cookie.

I’m not sure if this is the correct approach, but it seems to work for my use case.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.