fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Hosted Backend support for separate apps on subdomains of a common apex domain

Open todda00 opened this issue 2 years ago • 1 comments

Hosted Backend support for separate apps on subdomains of a common apex domain

Problem

We have separate environments running at subdomains:

dev.example.com staging.example.com preproduction.example.com app.example.com

Each site is its own application, own tenant, pointed to a common FA server

When I login to dev.example.com, and using the same browser login to preproduction.example.com, the cookies which are associated with the apex domain (app.at, app.rt, app.at_exp, app.idt) are overwritten by each other. This causes the app to send the user to the login screen anytime they are switching between apps.

Solution

Ideally this cookie name prefix (app) would be configurable per tenant and/or application so that when the cookie is written it does not conflict with other applications sharing the same apex domain.

Alternatively (and probably a less friction change) the cookie name could use the client ID of the application as the prefix, which would already be present when sending the user to /app/login for the hosted backend usage.

I realize this would require how cookies are retrieved for a backend expecting app.at, perhaps this application prefixing would have to be an opt-in feature configured at the application (or tenant) level so that existing usage would not be broken.

Alternatives/workarounds

The only alternative is to bring up our own hosted backend, store the cookies with unique names per application, use less of the built in functionality of the React SDK (since it relies on app. prefixed names and these would be different). Or live with it and the user experiences a bit of a bounce when switching between apps.

Additional context

This info is related but still not specifically part of this request: Since we are cloud hosting FA, I did setup separate custom domains for each app (auth-dev.example.com, auth-preproduction.example.com). This allowed the remember my device, and SSO functionality to work properly. Without doing this and having all the apps point to a single subdomain auth.example.com the users had to re-login when moving between apps. Now they just experience a slight bump but SSO takes care of the user getting re-authenticated automatically.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

todda00 avatar Sep 21 '23 15:09 todda00

Here's a sample backend for the workaround: https://github.com/FusionAuth/fusionauth-javascript-sdk-express

mooreds avatar May 09 '24 17:05 mooreds