I'm using hosted screen of Auth0. I want the following scenario to work- <ul> <li>Let's say I have 2 apps- app1 and app2. </li> <li>One of the users signed in by providing email+password in app1.</li> <li>User then navigated to app2.</li> <li>Auth0 detected that the user has already signed in, so it redirects the user back to app2 WITHOUT having her signed in again.</li> </ul> But what I'm facing is this screen- <img src="https://i.stack.imgur.com/84UZy.png" alt="Auth0 lock screen"> How can I save my user this additional click? How do I implement silent authentication? I know that you have to pass <code>prompt=none</code> to <code>/authorize</code> api, but since I'm not manually calling the api, how do I make the lock call <code>/authorize</code> with <code>prompt=none</code>?

What you want is silent SSO which is related to SSO but kind of independent. The key is in the <code>prompt</code> param. This needs to be <code>none</code> in order for the user to not be prompted for login when he's already logged in Auth0's Authorization Server ("central SSO"). One annoying thing I found is that <code>prompt</code> is taken literally, so if the user is not logged in yet, he will not be prompted to login (you'd think it'd make sense to prompt the user when not logged right?). In this case SSO will redirect to your app's <code>/authorize</code> with an error like "authentication required" and you'll have to handle it by redirecting the user to your <code>/login</code> endpoint again but passing <code>prompt=true</code> so that it knows that this time he'll have to pass <code>prompt=true</code> to Auth0's hosted login page. To make things a bit uglier, currently <code>passport-auth0-openidconnect</code> seems to ignore the params you pass to the strategy unless you monkey patch one of the methods involved (I created a PR for it, don't when will be approved and/or if makes sense). Essentially: <ul> <li>Pass <code>prompt=none</code> </li> <li>If user is already logged in, he will silently be logged in your app as well</li> <li>If user not logged in, user will be redirected to your app with "login required" error <ul> <li>In that case you'll have to pass <code>prompt=true</code> </li> </ul> </li> </ul> I know it's a bit fiddly but I hope this helps you :) PS: Another thing to bear in mind - I now just found out that it works perfectly when using Github as connection but when using <code>google-oauth2</code> it blows up complain about the <code>prompt</code> param :|

Auth0: How to enable silent authentication in Hosted Login Page?

I'm using hosted screen of Auth0. I want the following scenario to work-

Let's say I have 2 apps- app1 and app2.
One of the users signed in by providing email+password in app1.
User then navigated to app2.
Auth0 detected that the user has already signed in, so it redirects the user back to app2 WITHOUT having her signed in again.

But what I'm facing is this screen-

Auth0 lock screen

How can I save my user this additional click? How do I implement silent authentication? I know that you have to pass prompt=none to /authorize api, but since I'm not manually calling the api, how do I make the lock call /authorize with prompt=none?

What is a silent login?

Silent authentication allows you to automatically authenticate users in your game via a publishing platform.

What is silent authorization?

Silent authentication is a mechanism based on machine learning. It analyzes both consumer behavioral & environmental patterns such as the way you write on your smartphone or PC, the way you walk, and your geolocation. But it also uses signals surrounding you like Bluetooth devices and Wi-Fi networks.

How do I authenticate with Auth0?

There are three ways to authenticate with this API: with an OAuth2 Access Token in the Authorization request header field (which uses the Bearer authentication scheme to transmit the Access Token) with your Client ID and Client Secret credentials. only with your Client ID.

What you want is silent SSO which is related to SSO but kind of independent.

The key is in the prompt param. This needs to be none in order for the user to not be prompted for login when he's already logged in Auth0's Authorization Server ("central SSO").

One annoying thing I found is that prompt is taken literally, so if the user is not logged in yet, he will not be prompted to login (you'd think it'd make sense to prompt the user when not logged right?).

In this case SSO will redirect to your app's /authorize with an error like "authentication required" and you'll have to handle it by redirecting the user to your /login endpoint again but passing prompt=true so that it knows that this time he'll have to pass prompt=true to Auth0's hosted login page.

To make things a bit uglier, currently passport-auth0-openidconnect seems to ignore the params you pass to the strategy unless you monkey patch one of the methods involved (I created a PR for it, don't when will be approved and/or if makes sense).

Essentially:

Pass prompt=none
If user is already logged in, he will silently be logged in your app as well
If user not logged in, user will be redirected to your app with "login required" error
- In that case you'll have to pass prompt=true

I know it's a bit fiddly but I hope this helps you :)

PS: Another thing to bear in mind - I now just found out that it works perfectly when using Github as connection but when using google-oauth2 it blows up complain about the prompt param :|

Auth0: How to enable silent authentication in Hosted Login Page?

Tags:

oauth

oauth-2.0

auth0

single-sign-on

Mihir

People also ask

1 Answers

Aldo 'xoen' Giambelluca

Recent Activity

Donate For Us

Auth0: How to enable silent authentication in Hosted Login Page?

Tags:

oauth

oauth-2.0

auth0

single-sign-on

Mihir

People also ask

1 Answers

Aldo 'xoen' Giambelluca

Related questions

Recent Activity

Donate For Us