How best to share a token across subdomains?

DavidLozzi · September 15, 2020, 12:27pm

We have multiple ReactJS apps under the same primary domain:

http://search.domain.com/
http://pages.domain.com/
http://me.domain.com/

And we’d love the user to log in once, and when they go to the next domain, they don’t have to be resent to Okta to get a token for that domain. What is the best way to pass this token around? I see the okta client can be set to use a cookie but it appears that the cookie is not a domain level cookie, instead, it’s specific to the subdomain. Do I need to do something custom here?

Thanks,
David

DavidLozzi · September 18, 2020, 3:11pm

We recommended by Okta support to set up a custom domain, per https://developer.okta.com/docs/guides/custom-url-domain/overview/. Looks promising!

DavidLozzi · September 21, 2020, 4:19pm

Also see that a custom storage provider is possible, exploring this route now https://github.com/okta/okta-auth-js#storage

DavidLozzi · September 21, 2020, 8:18pm

The custom storage provider is working really well, following how Okta is writing to cookies (given the size constraints) https://github.com/okta/okta-auth-js/blob/master/lib/TokenManager.ts#L230

kblizeck · April 14, 2021, 8:21pm

Hey @DavidLozzi - I actually want the opposite functionality that you have, that each time a user visits a new subdomain, they’re sent to Okta to login and get a new token. Are you still encountering that behavior?

DavidLozzi · April 14, 2021, 9:30pm

we are no longer having that issue, since implementing this approach. If you want that approach, then don’t do anything, it should just do it out of the box

kblizeck · April 14, 2021, 9:47pm

It’s not doing that automatically, which is why I’m so confused!
I login to demo-test.testing.com, and it redirects me to Okta to login. Then I visit demo-test-2.testing.com and it sends me to Okta to enter my MFA again, instead of asking me to login with username/password again.

phi1ipp · April 14, 2021, 10:26pm

it’s b/c you are considered to be on the same domain, so Okta session cookie will be sent, and Okta will consider you having a session

kblizeck · April 14, 2021, 10:40pm

And that’s because it’s based on the domain, not the subdomain, correct?

andrea · April 14, 2021, 11:09pm

That’s right, the cookies will still be first party if your okta tenant is on okta.domain.com while your app is on app.domain.com OR domain.com.

More info about how these session cookies work and the benefit of using a custom domain can be found here.

system · February 6, 2024, 11:30pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.