Cross domain API access token using 3rd party login

49 views
Skip to first unread message

Jeffrey Yan

unread,
May 25, 2016, 2:46:12 AM5/25/16
to LoopbackJS
I currently have the loopbackJS api hosted on a particular domain, with third party authentication setup via Auth0.

loopback-component-passport seems to work fine when the front-end is on the same domain, and it sets the `userId` and `access_token` cookies accordingly.

However, my front-end in production is on a different domain to the API, for example the API auth link would be something like:

"http://domain1.com/auth/auth0?returnTo=" + encodeURIComponent("http://domain2.com") since the front-end is on domain2

I can't seem to get the access token communicated after the user logs in through Auth0. It redirects to domain2.com fine, but after that the app there has no idea what the access token is to access the API.

Was there a particular workflow that I should be following in this case?

Heath Morrison

unread,
May 25, 2016, 3:55:13 AM5/25/16
to loopb...@googlegroups.com
Hello Jeffrey,

We also are using our API across domains and had to tackle this same issue with cross-domain authentication. As you noted, CORS will prevent you from using cookies across domains. I'll outline for you the approach we used and welcome any feedback from you or others on this group.

Instead of doing an API call, we open a small popup window which loads the Passport authentication endpoint (like /auth/facebook). This initiates the normal Passport authentication process. When the process completes, we render a small template which a piece of Javascript which communicates with the SPA (using postMessage) to transfer the access token and some other relevant information. 

I'll note that, IIRC, the above works for modern browsers but we had trouble with cross-domain postMessage on MSIE and ended up implementing some messy behavior to accommodate it. Let me know if that's relevant for you.

Hope this helps.

-Heath


--
You received this message because you are subscribed to the Google Groups "LoopbackJS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to loopbackjs+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/loopbackjs/1606d8be-4471-46eb-9656-85a1aff1ffc7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jeffrey Yan

unread,
May 25, 2016, 4:42:47 AM5/25/16
to loopb...@googlegroups.com
Thanks for that method, that could definitely work. I'm thinking in this case it will be easier to try integrate the API into the same domain, so that I can take advantage of all the existing integration which seems to be fully based around same-domain cookies.
Reply all
Reply to author
Forward
0 new messages