SSO, .net Core API + Multiple Angular Frontend Applications

HI Guys hope you can direct me to some docs, examples or give some info here.

We have been trying to get a certain concept up and running to no avail:

We have a single database
Single API built with .net Core 2.2
And we will have multiple front ends on different domains

I need to be able to login in once on any of the applications and the session should persists when navigating to the various front end applications built with Angular.

At the moment we need to re authenticate when navigating to a new domain.

Thanks for taking the time :slight_smile:

If you use universal login, it should be automatic.
When the user goes to the first application, and there is no local session (access_token in case of a SPA), the app would redirect to Auth0, where login happens, a centralised session is created and tokens are issued to the app.

Now when user navigates to the next app, it would redirect to Auth0 as well where a new set of tokens would be issued without prompting for credentials as Auth0 session already exist from 1st app login.

There are some other technique where you can avoid redirect in the 2nd app by using silent authentication.

Thanks! will have a look and revert. Appreciate the prompt response!

1 Like

So we went through the links, very helpful thanks.

If my understanding is correct, we only need one application to authenticate against regardless of the amount of frontend applications?

For example: We have a ‘mother’ application and from there you are able to navigate to multiple ‘child’ applications. each child application would be its own project and domain.

Can we then utilise the universal login so that each of these child applications can authenticate to the one auth0 application as per the diagram example? From the user’s perspective they should only log in once regardless of how they decide to navigate across each application.

Or do we need to set up an auth0 application for each of these child applications?

You will create an Auth0 application/client for each child app. During the first application (‘mother’) login, the user will enter credentials in Auth0 which creates an SSO session and issue tokens for mother app.

Now when user navigates to child app, it would redirect to Auth0 again (with silent auth) and user will NOT be prompted as there is already a session. The end result is, user would be logged into child app seamlessly. The same flow repeats for additional child apps

HTH,

Thanks! we were able to create a session and also reuse that session on a different domain with a second application.

Our question now is once logged out from one of those applications, how do we enforce a session termination on the other applications. If they refresh the angular application (child) then we get redirected to the auth0 login page which is perfect.

But when a function or navigation call is made we are still able to continue. What would your advice be to correctly check or implement to prevent these from being allowed.

Currently the only option is to call checkSession periodically from each SPA.

For example, when a user logs out of an app, it clears it’s local session (delete tokens etc.) and also logs out of Auth0. Now the checkSession call from other apps would fail with error and they can do the clean up by forcing local logout etc. Please note, checkSession today issues token on each invocation so it’s an expensive call especially if you have many rules in your tenant. Please choose an appropriate polling interval.

We also have OIDC front-channel logout on our roadmap to better support above scenario.

Thanks for the detailed response.

Ill bother you with one more question :slight_smile:

Is it possible for us to verify authentication with our web api after a login instead of having to go to Auth0 every time someone is navigating and making a data call? We are looking at route guards but feel having to ping Auth0 each time is overkill.

Thanks Zulfiqar

You shouldn’t be coming to Auth0 each time. Basically Auth0 issued access_token are JWTs and thus are self-contained. The receiving API can validate the tokens without contacting Auth0. It only need access to Auth0 signing key, which is retrievable from JWKS endpoint.

Hope that helps,
Zulfiqar

Hi,
Could you please guide us a specific way to check for periodically for logout in Angular Application? Do we need to write authentication guard to check if user log out from one application?

Regards,
Imran

Please see this article and sample.

// check every 15 minutes if the SSO session is still active

setInterval(function() {
  // if the token is not in local storage, there is nothing to check (that is, the user is already logged out)
  if (!localStorage.getItem('userToken')) return;

  auth0.checkSession(function (err, data) {
    if (err) { 
      // if we get here, it means there is no session on Auth0,
      // then remove the token and redirect to #login
      localStorage.removeItem('userToken');
      window.location.href = '#login';
    }
  });
}, 900000)
1 Like

Thanks we ended up writing our own service that manages a boolean flag, this way we can ping every every 15 seconds :slight_smile:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.