SSO and Refresh Tokens

We have SSO across all of the sites that seem to work, the problem comes in on how we implement refresh-tokens.

We have multiple sites using auth0 authentication. I want to know does auth0 mirror the access_token across all of those sites and if I refresh that token will it mirror across the sites?

If not how would we go about using one (mirrored) token for all sites and it automatically update across the sub sites when a token refreshes.

Line: Refresh call
Line: Current token / New Token
Line: Can request refresh token

A few questions about your setup, because your mentioning authentication (not authorization) as well as access token (and not ID token):
What type of applications are these App 1 - App 3 from a technology point of view? How do you work with them and the token?

The reason I’m asking is to understand whether these are client applications where you simply just want to identify a user (=authentication), or whether these are backend servers (APIs) that you want to protect and only grant access with access token (in the sense of OAuth2: your resource servers) (=authorization). If it’s the latter, the question would be whether these three applications are registered as APIs in Auth0 and thus being different audiences. (This is relevant because an access token can only be for one audience, not multiple).

Where do you store the refresh token? And to clarify, is it just one refresh token or three? Which application requests this refresh token in the first place?

The setup isn’t 100% clear to me and therefore hard to five a proper answer, but in general, there is no mirroring or alike mechanism in place.

And maybe helpful resources:

The links you provided really creared up my misquided undestanding.

1 Like

Perfect! We’re here for you!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.