Persisting authentication from non-WeWeb site to a WeWeb site

Hi ,

I’m hoping someone can help with this.

I have a site ‘example.com’ (not WeWeb hosted), where users currently log in.
And I have a subdomain ‘app.example.com’ (WeWeb hosted).
Both sites use the same database.

I am trying to figure out if there is a way to pass on a user’s authentication details if they visit the subdomain so they do not have to log in again.

From my research, I believe this can potentially be done with Auth0 and openID.
But I’m unsure how to have the non-WeWeb hosted root domain communicate with the WeWeb hosted subdomain.

Any help is much appreciated!

you could pass in a token during the redirect and grab the user object with the token. this is the same idea as a magic link.

in platform 1,

• create a token for the user
  – ey.adsff234lk234.234klh234l
• create a redirect and append the token to the redirect URL
  –www.example.com?token=ey.adsff234lk234.234klh234l

on platform 2

• on page. load, check if there’s a token value in the URL, if so, validate the user and grab a new token

Thanks Jared

My only concern - wouldn’t passing the token in the URL have security implications?

any authentication methodd has it’s risk. you can mitigate them, however. in this case id say the risk is low. If this was an insecure method, magic link logins probably wouldn’t be so popular.

a few things to keep in mind

• generate the token at the time it’s to be used
• only give the token certain privileges
• ensure it’s a 1 time use
  –use it to authenticate the user ensuring traffic comes from the correct domain, then issue a new ‘full’ token to be stored locally
• ensure it’s a short lived token
  –10 second max