Server-side SSO (Regular Web Apps)

Let's say we have three applications

  • App 1: (single page app)
  • App 2: (single page app)
  • App 3: (regular web app)

You can see an example of a Regular Web App configured to use SSO in this github repository

The user logs in on and clicks on a link that should take them to a particular URL on In this case, you can create an endpoint on the target application (app3) that will redirect to the URL the user wanted to go after SSO. For example:

This endpoint would check if the user is already logged in to this app. If they are, then redirect to the target URL. If the user is not logged in to the application, then redirect to Auth0 for SSO:

  if (user is already logged in)
    redirect to targetUrl
    redirect to "…&redirect_uri=http://urlTo/callback&response_type=code&state=' + targetUrl

Here is an example in node.js:

app.get('/sso', function(req,res, next) {
  if (req.isAuthenticated()) {
    if (/^http/.test(req.query.targetUrl)) return res.send(400, "url must be relative");
    // Here we'd redirect to req.query.targetUrl like following
    // res.redirect(req.query.targetUrl);
    // But in this case we'll go to User anyway
    res.redirect('/user?targetUrl=' + req.query.targetUrl);
  } else {
    console.log("Authenticating with Auth0 for SSO");
    passport.authenticate('auth0', {
      state: req.query.targetUrl
    })(req, res, next);

When the user comes back from Auth0 you should check for the state parameter and redirect to the original target URL.

  // process login with SDK
  if (state) redirect to url on state parameter
  else redirect to base logged in URL

Here is an example in node.js:

    function(req, res) {
      if (req.query.state) {
      } else {

Case 2: The user is already logged in and goes to

The user is logged in on and opens a new tab and goes to You would expect the user to be automatically signed in. To do that, you need to redirect the user to the following URL in a filter or a middleware:…&response_type=code&redirect_uri=http://urlTo/callback

Here is an example in node.js:

    // This redirects to
    passport.authenticate('auth0', {}),
    function(req, res) {
      // Once user is logged in, redirect to the user page

If the user was already logged in before, then Auth0 will automatically redirect back to the application with a new token. If not, then it will show the Auth0 Login Page.

Case 3: The user has never logged in

The user has never logged in to any app. In this case, the filter or middleware mentioned in the previous point checks if the user is authenticated or not, and in the case they're not, redirects the user to the following URL:…&response_type=code&redirect_uri=http://urlTo/callback