Using a persistent login

I am using the auth0-spa-js library following these instructions: https://auth0.com/docs/quickstart/spa/angular2/. Login works fine; however, what I’d like to achieve is the following…

A user logs into another application on the same tenant, we’ll call it portal.example.com. If that user then goes to checkout.example.com they are asked to login again. We want the flow to check if the user is already logged in (even if originally at portal[dot]example[dot]com) and automatically login the user.

Is this possible?

Hi ,

It looks like you are trying to achieve SSO. If you have enabled Seamless SSO , the users will not be prompted to enter credentials when navigate to checkout.example.com. As the user have an active session in the same user agent, the user should be logged in automatically. https://auth0.com/docs/dashboard/guides/tenants/enable-sso-tenant

Optionally, you can opt in to store the token in the local storage. However, it does not provided persistence across page refreshes and browser tabs. https://auth0.com/docs/libraries/auth0-spa-js#change-storage-options

You can also try to enable refresh token flow which replaces the silent authentication (prompt=none). https://auth0.com/docs/libraries/auth0-spa-js#use-rotating-refresh-tokens

Thank you for the reply. This is a new tenant, so Seamless is enabled by default. I"ll look into the refresh.

Hello again - it seems there is a contradiction in your comment and the documentation: https://auth0.com/docs/libraries/auth0-spa-js#change-storage-options.

Storing tokens in browser local storage provides persistence across page refreshes and browser tabs.

Can you clarify what should be used if I want seamless SSO? Also, can you confirm that it’s OK if these are two separate applications, as long as they’re on the same tenant? Does the audience matter?

Hello,

We are still trying to work this out and it’s becoming a deal breaker. Is there some reliable documentation on using the JS SPA SDK and seamless SSO? For example, if we have one application that uses Client ID A, and this is where the user logs in, should that user then be able to visit an application that uses Client ID B and seamless SSO work? Does the audience play a factor? What about scope?

These are all things that we’re kind of left just guessing at as we can’t find documentation that seems to be up-to-date.