Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suport for multi tab sessions #1272

Open
5 tasks done
IdoMor opened this issue May 23, 2024 · 5 comments
Open
5 tasks done

Suport for multi tab sessions #1272

IdoMor opened this issue May 23, 2024 · 5 comments
Labels
feature request A feature has been asked for or suggested by the community

Comments

@IdoMor
Copy link

IdoMor commented May 23, 2024

Checklist

Describe the problem you'd like to have solved

We are using auth 0 for a while now, and we have the following architecture

  1. Several front-end applications, each on a different domain: [email protected], [email protected], [email protected],
    We are using auth 0 cookies with the domain: 'domain.com' so that whenever the organization_hint cookie is changed (when we logged into another organization), this affects ALL the open applications on all the tabs

We would like to change this behavior, such that each open application would have "its own" organization_hint so that each application opened in each tab would be authenticated to a different organization

We are adding the JWT value to each request sent from each application as an HTTP header.

Does this scenario supported by auth0?
If we would pass the organization_hint to 'getAccessTokenSilently' in order to get the JWT value, will this work? even if there is a different value on the organization_hint cookie?

Describe the ideal solution

Our ideal solution would be that each opened application would have its own JWT value, meaning that we would be able to have multiple sessions simultaneously

Alternatives and current workarounds

none

Additional context

No response

@IdoMor IdoMor added the feature request A feature has been asked for or suggested by the community label May 23, 2024
@frederikprijck
Copy link
Member

frederikprijck commented May 24, 2024

What you are requesting sounds possible already by not setting the cookieDomain at all. Can you elaborate on what isnt working when u use that?

Our ideal solution would be that each opened application would have its own JWT value, meaning that we would be able to have multiple sessions simultaneously

This is already the case. Tokens are either put into memory (then each tab has its own memory cache), or into local storage (then each domain has its own cache).

@IdoMor
Copy link
Author

IdoMor commented May 24, 2024

First of all, thank you for the detailed (and fast) response.
If tokens are stored in the memory, what is the reason for having an organization_hint cookie?
I think that setting and cookieDomain into an empty value would not work for us, since our goal is to support 2 types of sessions:

  1. Multiple sessions at multiple applications (described above) - would be solved by setting the cookieDomain value into an empty value
  2. Single session for multiple applications - Allow the user to only have a session into a single organization, across different tabs - Would not work if setting the cookieDomain value into an empty value

@frederikprijck
Copy link
Member

frederikprijck commented May 24, 2024

Single session for multiple applications - Allow the user to only have a session into a single organization, across different tabs - Would not work if setting the cookieDomain value into an empty value

I do not think this is exactly true. Even though I can understand using cookieDomain can help here, this should still be possible without the cookieDomain, with a slightly decreased UX perhaps. I'd recommend giving it a try and evaluating if it fits your needs.

Having said that, I am not sure I understand what you are saying. Do you want Multiple sessions at multiple applications or Single session for multiple applications ? You can't have both, so it's either one or the other and you set the cookieDomain accordingly.

Also note, when using the auth0-spa-js SDK, there is no concept of an application session, we just use tokens and store them. It may feel as if there is a session, and I understand what you mean. But there is no true single/multiple sessions.

@IdoMor
Copy link
Author

IdoMor commented May 24, 2024

Let me get back to my original question
Can I use getAccessTokenSilently with organization_hint that is different than the one exists on the cookie?
for example, cookie organization_hint value is 'org_1'
And getAccessTokenSilently is executed with {organization: org_2}
Will I get back a token? Given the fact that I have authenticated into org_2 before executing the call getAccessTokenSilently?

Note that the authenticated user does have access to both org_1, and org_2

@frederikprijck
Copy link
Member

frederikprijck commented May 24, 2024

No, see https://github.com/auth0/auth0-spa-js/blob/main/EXAMPLES.md#switch-to-a-different-organization. If you want to switch organizations, you have to go trough the loginWithRedirect or loginWithPopup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature request A feature has been asked for or suggested by the community
Projects
None yet
Development

No branches or pull requests

2 participants