Skip to content
This repository has been archived by the owner on Apr 14, 2021. It is now read-only.

Silent SSO #13

Merged
merged 1 commit into from
Feb 20, 2018
Merged

Silent SSO #13

merged 1 commit into from
Feb 20, 2018

Conversation

xoen
Copy link
Contributor

@xoen xoen commented Feb 19, 2018
edited
Loading

What

Don't ask for confirmation when user already logged in Auth0 SSO.

By passing ?prompt=none in the /authorize request Auth0 will not
ask to confirm the identity when already logged in SSO.

The effect will be that the user will be transparently be logged in the
application (RStudio in this case).

Notes

When ?prompt=none is passed to /authorize but the user is not
logged in SSO the user will not be promped to login and therefore can't
be logged in. In this case the application redirects to /login again by
passing ?prompt=true so that the user can login.

See

@xoen xoen requested review from andyhd and kerin February 19, 2018 11:13
@xoen
Copy link
Contributor Author

xoen commented Feb 19, 2018
edited
Loading

FYI: I want to see if I can get the change to Strategy.authorizationParams() upstream so we don't have to monkey-patch it here.

andyhd
andyhd approved these changes Feb 19, 2018
View reviewed changes
Copy link
Contributor

@andyhd andyhd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me 👍

andyhd
andyhd reviewed Feb 19, 2018
View reviewed changes
app/index.js Outdated
//
// See: https://github.com/siacomuzzi/passport-openidconnect/blob/master/lib/strategy.js#L338
Auth0Strategy.prototype.authorizationParams = (options) => {
return options;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just realised, shouldn't this be options => options?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right. I think I didn't use it already because originally I was using Object.assign(options, {}) and the body of the function was a bit "long" to use the shorthand.

I wonder if I should be defensive here and return options || {}; - Probably not worth it as we control the code and chance of not passing options are very thin.

(I'm trying to write some tests to have something like this upstream - in that case it makes more sense to be defensive)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: 558de3c#diff-2018087f584c4398b5c3a23fc0e5f9dbR40

@xoen
Silent SSO
558de3c 
Don't ask for confirmation when user already logged in Auth0 SSO.

By passing `?prompt=none` in the `/authorize` request Auth0 will not
ask to confirm the identity when already logged in SSO.

The effect will be that the user will be transparently be logged in the
application (RStudio in this case).

NOTE: When `?prompt=none` is passed to `/authorize` but the user is *not*
logged in SSO the user will not be promped to login and therefore can't
be logged in. In this case the application redirects to `/login` again by
passing `?prompt=true` so that the user can login.

SEE: https://auth0.com/docs/api-auth/tutorials/silent-authentication
@xoen xoen force-pushed the ag--auth0-hosted-login-page branch from df39b20 to 558de3c Compare February 19, 2018 11:51
@xoen xoen merged commit a127b61 into master Feb 20, 2018
@xoen xoen deleted the ag--auth0-hosted-login-page branch February 20, 2018 16:59
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@andyhd andyhd andyhd approved these changes

@kerin kerin Awaiting requested review from kerin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@xoen @andyhd