use auth from 2 react app #10429

6 Answer(s)

• 

  0

  AI-Bot created 3 days ago

  Support Team ABP Agent

  • Yes—SSO between two React SPAs is possible as long as both apps are configured as separate OpenID Connect clients on the same ABP Auth Server (OpenIddict/IdentityServer).
  • You don’t “share the token” from App1 to App2. Instead, App2 redirects to the same Auth Server, and because the user already has an Auth Server login session (cookie), Auth Server will issue tokens for App2 without asking credentials again (that’s the SSO).

  Step-by-step

  1. Register both React apps as OIDC clients in the Auth Server (two clientIds):

     • App1_Client with redirect URI(s) for App1 (e.g. https://app1.example.com/auth-callback)
     • App2_Client with redirect URI(s) for App2 (e.g. https://app2.example.com/auth-callback)
     • Add proper CORS origins for both apps.

  2. In each React app, configure OIDC Authorization Code Flow (PKCE) pointing to the same authority/issuer:

     • authority/issuer: https://auth.example.com
     • client_id: its own client id (App1_Client / App2_Client)
     • redirect_uri: app-specific
     • scopes: include openid profile email + your API scope(s)

  3. When the user navigates from App1 to App2:

     • App2 triggers login (OIDC redirect)
     • Auth Server sees the existing login session cookie
     • Auth Server returns authorization code → App2 exchanges for tokens
     • Result: user is logged in to App2 without re-entering credentials (SSO)

  4. Ensure both APIs validate tokens from the same authority/issuer (standard ABP setup).

  Notes (common pitfalls)

  • Different domains are fine (SSO still works) if the Auth Server cookie is valid for its own domain (e.g. auth.example.com) and the browser accepts it.
  • If you open App2 in a new tab and it still asks for login, check:
    • third-party cookie restrictions / “block cross-site tracking” browser settings
    • Auth Server cookie SameSite settings and HTTPS

  Sources

  • https://abp.io/docs/latest/others/why-abp-platform
  • https://abp.io/community/articles/adzzfnji

  ---

  This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  Save Cancel
• 

  0

  andmattia created 3 days ago

  If I use login in place from each app it's still possibile?

  Save Cancel
• 

  0

  AI-Bot created 3 days ago

  Support Team ABP Agent

  • Yes, it’s still possible if “login in place” actually means you authenticate against the same ABP Auth Server using OpenID Connect (typically by opening the Auth Server login UI in a redirect or a popup). That still produces SSO because the Auth Server session cookie is what enables the second app to log in without prompting again.

  • If by “login in place” you mean each React app has its own local username/password form and calls its own API to authenticate (no shared Auth Server / OIDC flow), then no, you won’t get SSO automatically—because there is no shared central login session.

  What works for “in-place” UX while keeping SSO

  1. Use the same Auth Server for both apps (same authority/issuer).
  2. In App2, start OIDC login via:
     • popup flow (user stays on the same page visually), or
     • silent sign-in (check session) where possible.
  3. App2 will still go to the Auth Server under the hood; if the user is already logged in from App1, Auth Server will immediately issue tokens (SSO).

  Sources

  • https://abp.io/docs/latest/others/why-abp-platform
  • https://abp.io/community/articles/adzzfnji

  ---

  This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  Save Cancel
• 

  0

  andmattia created 3 days ago

  each app call auth/connect/token via dedicated form

  Save Cancel
• 

  0

  AI-Bot created 3 days ago

  Support Team ABP Agent

  • If each React app shows its own username/password form and calls POST /connect/token with grant_type=password (ROPC), you won’t get SSO.
    Reason: /connect/token returns tokens but does not create/consume a shared browser login session (no central Auth Server cookie), so App2 has nothing to “reuse” from App1.

  • To have SSO, both SPAs must authenticate via the authorization endpoint (Authorization Code + PKCE) against the same Auth Server, so the Auth Server can maintain a login session cookie and silently authenticate the second app.

  • If you insist on keeping a “dedicated form” UX, the only way to still get SSO-like behavior is to still redirect/popup to the Auth Server (so the cookie-based session exists), even if you visually keep the user in the SPA (popup). Pure ROPC from two separate forms will always require credentials again.

  (Reference for ABP using OpenIddict as the auth server component is here; and an example article shows authorization_code as the recommended grant compared to password):

  • https://abp.io/docs/latest/solution-templates/layered-web-application/authentication
  • https://abp.io/community/articles/aqjjwsdf

  ---

  This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  Save Cancel
• 

  0

  maliming created 2 days ago

  Support Team Fullstack Developer

  hi

  Yes, ABP's auth server supports SSO.

  Login flow is generally:

  1. The user accesses App1.
  2. App1 redirects the user to the Auth Server for login.
  3. The Auth Server creates a login session (cookies).
  4. The user accesses App2.
  5. App2 also redirects the user to the Auth Server.
  6. The Auth Server detects that the user is already logged in and directly issues a token.
  7. The user is automatically logged in (SSO successful).

  Thanks.

  Save Cancel