Question: what is the use of 'auth0.is.authenticated' cookie

[Arnaud-J]

Hi,

I was questioning myself about the use of 'auth0.is.authenticated' cookie as it has been confusing to me (I searched for an answer on other issues but could not find one, sorry if I missed it).

What seem strange to me is that, when creating an auth0 client, presence of this cookie is checked before we try to authenticate silently.
Here is the line https://github.com/auth0/auth0-spa-js/blob/master/src/index.ts#L11

What exactly is the purpose of such check ? (and thus the purpose of such cookie).

My use case is: I have an (quite old) angularjs app which directly uses auth0-js and a new react app which uses auth0-spa-js. If I login on my angularjs app, then navigate to my react app, since the 'auth0.is.authenticated' cookie is not present, my react app won't try silent authentication and I won't be logged in.
Though I could myself trigger a silent auth when my auth0 client finished loading, I would expect the lib to always do it whatever the cookie is because there might be an auth0 session existing for me.

Please enlighten me on this, did I miss something ?
Cheers

[luisrudge]

We use the cookie to improve the user experience. If the cookie is present, we automatically do a silent authentication request to get and cache the tokens. In most cases, it doesn't make sense to call Auth0 if the cookie is not there because, most likely, there won't be a session. If you have a particular scenario that this behavior is needed, you can call it yourself.

[haydave]

Hello,
I have set up 2 applications on different domains (e.g. foo1.bar.com and foo2.bar.com) using this tutorial (https://auth0.com/docs/quickstart/spa/angular2/01-login).
Do I understand correctly that using this tutorial as is I could not achieve SSO behaviour?
It is not working for domains but works for localhost ('auth0.is.authenticated' cookie domain for both apps is localhost).
@luisrudge Could I think of my case as a particular scenario?

[stevehobbsdev]

@haydave I'm not sure I'm following the problem you are having. Are you saying that you're not achieving the desired behaviour? Could you outline what you're seeing and what you expect to happen in a few steps?

[haydave]

@stevehobbsdev
Expected behavior:
Automatically being logged in to foo2.bar.com when logging in to foo1.bar.com.

Actual behavior:
The user has to log in to foo2.bar.com again, when he has already logged in to foo1.bar.com.

Additional information:
When I run foo1.bar.com & foo2.bar.com on localhost, SSO works. Logout works in both cases (localhost & foo1.bar.com, foo2.bar.com).

I think that the reason is the auth0.is.authenticated cookie which is attached to a particular domain.

[stevehobbsdev]

@haydave Thanks, that's much easier.

Ultimately I'm not sure what the solution is here yet but just to add a bit of background, if you do happen to have that cookie then it just calls getTokenSilently to refresh your local auth state. You should be able to call this manually after the call to createAuth0Client to achieve the same effect. If you are in fact still logged in, this additional call should then refresh your status.

Right now you might end up making that call twice if you do have that cookie, but we're currently working on a solution to allow you to disable the built-in call if you know you don't want it and are doing it manually.

Hope that helps

[danprime]

@luisrudge Thanks for clearing this up (how it performs a silent auth if the cookie is present). My SPA got into a vicious loop where the page wouldn't load because it erred/400 on a silent authentication and then I checked the logs to see that mysteriously the origin URI wasn't registered (even though it was).

I was following this tutorial: https://auth0.com/blog/securing-gatsby-with-auth0/ and will look into how to respond more gracefully to the silent auth error.