Auth0 Home Blog Docs

SSO for "highly trusted" desktop applications

auth0
sso
login

#1

I have a couple of “highly trusted client” desktop applications for which I want to implement SSO. My applications in Auth0 have the “Use Auth0 instead of the IdP to do Single Sign On” setting enabled, and my Auth0 tenant has the SSO cookie timeout set to 120 minutes.

Suppose my first application uses the following request to login a user.

POST {{baseUrl}}/oauth/token
{
    "grant_type": "http://auth0.com/oauth/grant-type/password-realm",
    "realm": "{{realm}}",
    "username": "{{username}}",
    "password": "{{password}}",
    "audience": "{{apiIdentifier}}",
    "client_id": "{{clientId}}"
}

The response contains an access token as expected, and the user record in my Auth0 tenant is updated to show a Latest Login of “a few seconds ago.”

However, what about the SSO session? Was the cookie set? Can my second application now get an access token for the user without asking the user for credentials? How would I accomplish this?

The docs suggest silent authentication using the /authorize endpoint, but I need to check the SSO session in way that does not involve redirects since these are desktop applications.


#2

@bugged sorry for the late response. The grant you are using, and as implied by highly trusted client, does not support SSO. This is either a back channel login or it is a cross domain XHR. In both situations a cookie will not be set.

If you want to do cross orgin authentication and establish an SSO session/cookie with auth0 you will need to do something like this:

The docs suggest /authorize?prompt=none for SSO when an SSO cookie exists. The problem you are facing is caused by the authorization grant not going to issue an auth0 session cookie. So there isn’t a way to achieve SSO with auth0 when using this grant type.


#3

Let me gather some more info and reply back. In the meantime, is there an explicit way to determine if the SSO cookie has been set for a specific user? For example, dashboard, management API, auth API, etc.


#4

To my knowledge there is not explicit way to find this out. Besides of course having the user do a redirect to /authorize with prompt=none. This is how CheckSession and the new getSsoData works in Auth0.js. However if you are looking to query for active open sessions I am not aware of anyway to get this info.