Support checking flag cookie before prompt=none silent login #660
Description
Checklist
- I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
- I have looked into the API documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Describe the problem you'd like to have solved
Current behavior: attemptSilentLogin() middleware will attempt a prompt=none login for the first visit, and then set an "attempted" cookie (skipSilentLogin) to prevent an infinite loop.
This is done without any attempt to check the presence of an "is authenticated" flag/hint cookie—which is present on the origin, if the app shares an origin with the IdP (e.g. a custom domain set on an Auth0 tenant).
Describe the ideal solution
In the SPA library auth0-spa-js, the checkSession() function contains a feature where the XHR silent login, getTokenSilently is only attempted in the presence of an "isAuthenticated" cookie, isAuthenticatedCookieName.
If an application is on the same origin domain (e.g. app.example.com and auth.example.com), then the "is authenticated" flag cookie should also be available to express-openid-connect, allowing an application to only perform prompt=none logins when there is a high degree of confidence that there is a global session.
Please consider adding this as a feature (default behavior or configurable) to this library's attemptSilentLogin() middleware. This helps defer unnecessary logins, and keep usage of Auth0 Authentication API quotas to a minimum for high traffic sites, while still providing a seamless-SSO experience for users with "hinted" global sessions.
Alternatives and current workarounds
Instead of using the attemptSilentLogin() middleware, a custom middleware can be built which checks for the flag cookie and manually calls:
await res.oidc.login({
silent: true,
});Additional context
#630 refers to taking into account the global Auth0 session, but the main use case seems to be synchronizing a global logout, not making attemptSilentLogin() smarter to defer quota-consuming auth checks.