We have SSO across all of the sites that seem to work, the problem comes in on how we implement refresh-tokens.
We have multiple sites using auth0 authentication. I want to know does auth0 mirror the access_token across all of those sites and if I refresh that token will it mirror across the sites?
If not how would we go about using one (mirrored) token for all sites and it automatically update across the sub sites when a token refreshes.
A few questions about your setup, because your mentioning authentication (not authorization) as well as access token (and not ID token):
What type of applications are these App 1 - App 3 from a technology point of view? How do you work with them and the token?
The reason I’m asking is to understand whether these are client applications where you simply just want to identify a user (=authentication), or whether these are backend servers (APIs) that you want to protect and only grant access with access token (in the sense of OAuth2: your resource servers) (=authorization). If it’s the latter, the question would be whether these three applications are registered as APIs in Auth0 and thus being different audiences. (This is relevant because an access token can only be for one audience, not multiple).
Where do you store the refresh token? And to clarify, is it just one refresh token or three? Which application requests this refresh token in the first place?
The setup isn’t 100% clear to me and therefore hard to five a proper answer, but in general, there is no mirroring or alike mechanism in place.
