Once user is logged-in to any app he should not be asked for credentials for any other app. Sharing a single access-token stored in local storage seems a default but somehow bad idea. In case of Google apps on Android/web it surely does not use this solution, how do they do session sharing across apps implicitly?.
I am using AWS Cognito, it provides a User Pool in which I can have multiple apps registered to use the pool. Is there a way to get access token for a user request (without credentials like password) coming from a different app since the user is already logged in to pool via previous app login-request?
We‘re also trying to create a SSO experience for our customers across all our apps so that they only have to login once and get access to all apps.
AWS has a repo for that and it also might be interesting for you: https://github.com/awslabs/aws-amplify-identity-broker
Currently, we‘re making a POC if it works out, but basically you need to proxify the cognito API‘s with your custom OIDC compliant endpoints.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With