HI Guys hope you can direct me to some docs, examples or give some info here.
We have been trying to get a certain concept up and running to no avail:
We have a single database
Single API built with .net Core 2.2
And we will have multiple front ends on different domains
I need to be able to login in once on any of the applications and the session should persists when navigating to the various front end applications built with Angular.
At the moment we need to re authenticate when navigating to a new domain.
If you use universal login, it should be automatic.
When the user goes to the first application, and there is no local session (access_token in case of a SPA), the app would redirect to Auth0, where login happens, a centralised session is created and tokens are issued to the app.
Now when user navigates to the next app, it would redirect to Auth0 as well where a new set of tokens would be issued without prompting for credentials as Auth0 session already exist from 1st app login.
There are some other technique where you can avoid redirect in the 2nd app by using silent authentication.
So we went through the links, very helpful thanks.
If my understanding is correct, we only need one application to authenticate against regardless of the amount of frontend applications?
For example: We have a ‘mother’ application and from there you are able to navigate to multiple ‘child’ applications. each child application would be its own project and domain.
Can we then utilise the universal login so that each of these child applications can authenticate to the one auth0 application as per the diagram example? From the user’s perspective they should only log in once regardless of how they decide to navigate across each application.
Or do we need to set up an auth0 application for each of these child applications?
You will create an Auth0 application/client for each child app. During the first application (‘mother’) login, the user will enter credentials in Auth0 which creates an SSO session and issue tokens for mother app.
Now when user navigates to child app, it would redirect to Auth0 again (with silent auth) and user will NOT be prompted as there is already a session. The end result is, user would be logged into child app seamlessly. The same flow repeats for additional child apps
Thanks! we were able to create a session and also reuse that session on a different domain with a second application.
Our question now is once logged out from one of those applications, how do we enforce a session termination on the other applications. If they refresh the angular application (child) then we get redirected to the auth0 login page which is perfect.
But when a function or navigation call is made we are still able to continue. What would your advice be to correctly check or implement to prevent these from being allowed.
Currently the only option is to call checkSession periodically from each SPA.
For example, when a user logs out of an app, it clears it’s local session (delete tokens etc.) and also logs out of Auth0. Now the checkSession call from other apps would fail with error and they can do the clean up by forcing local logout etc. Please note, checkSession today issues token on each invocation so it’s an expensive call especially if you have many rules in your tenant. Please choose an appropriate polling interval.
We also have OIDC front-channel logout on our roadmap to better support above scenario.
Is it possible for us to verify authentication with our web api after a login instead of having to go to Auth0 every time someone is navigating and making a data call? We are looking at route guards but feel having to ping Auth0 each time is overkill.
You shouldn’t be coming to Auth0 each time. Basically Auth0 issued access_token are JWTs and thus are self-contained. The receiving API can validate the tokens without contacting Auth0. It only need access to Auth0 signing key, which is retrievable from JWKS endpoint.
Hi,
Could you please guide us a specific way to check for periodically for logout in Angular Application? Do we need to write authentication guard to check if user log out from one application?
// check every 15 minutes if the SSO session is still active
setInterval(function() {
// if the token is not in local storage, there is nothing to check (that is, the user is already logged out)
if (!localStorage.getItem('userToken')) return;
auth0.checkSession(function (err, data) {
if (err) {
// if we get here, it means there is no session on Auth0,
// then remove the token and redirect to #login
localStorage.removeItem('userToken');
window.location.href = '#login';
}
});
}, 900000)