Support checking flag cookie before prompt=none silent login

[emsearcy]

Checklist

• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

Current behavior: attemptSilentLogin() middleware will attempt a prompt=none login for the first visit, and then set an "attempted" cookie (skipSilentLogin) to prevent an infinite loop.

This is done without any attempt to check the presence of an "is authenticated" flag/hint cookie—which is present on the origin, if the app shares an origin with the IdP (e.g. a custom domain set on an Auth0 tenant).

Describe the ideal solution

In the SPA library auth0-spa-js, the checkSession() function contains a feature where the XHR silent login, getTokenSilently is only attempted in the presence of an "isAuthenticated" cookie, isAuthenticatedCookieName.

If an application is on the same origin domain (e.g. app.example.com and auth.example.com), then the "is authenticated" flag cookie should also be available to express-openid-connect, allowing an application to only perform prompt=none logins when there is a high degree of confidence that there is a global session.

Please consider adding this as a feature (default behavior or configurable) to this library's attemptSilentLogin() middleware. This helps defer unnecessary logins, and keep usage of Auth0 Authentication API quotas to a minimum for high traffic sites, while still providing a seamless-SSO experience for users with "hinted" global sessions.

Alternatives and current workarounds

Instead of using the attemptSilentLogin() middleware, a custom middleware can be built which checks for the flag cookie and manually calls:

await res.oidc.login({
    silent: true,
});

Additional context

#630 refers to taking into account the global Auth0 session, but the main use case seems to be synchronizing a global logout, not making attemptSilentLogin() smarter to defer quota-consuming auth checks.

[kushalshit27]

Hi,
Thanks for the feature request! Great suggestion! We will evaluate how to incorporate it. 🤝

[aks96]

This is more of enhancement and its more of changing the behaviour and design for silent authentication. The core of this issue is to whether attemptSilentLogin() should check the existing cookie.

Moving this discussion to gather broader feedback before defining the implementation path. This is about behaviour and design silent login and checks, it would be helpful to hear broader feedback and use cases.
Discussion will help clarify requirements and identify different patterns.