Closed khteh closed 1 year ago
josephdecock
commented
1 year ago I'm not sure if I'm following what your goal is here. Are you saying that you are getting single sign on between your two client appliations but don't want that? If so, IdentityServer supports the prompt=login oidc parameter to force a new login on the authentication request.
khteh
commented
1 year ago Not single sign-on. These 2 independent applications should not automatically sign in with each other's user credentials although they use the same Identity server.
khteh
commented
1 year ago 
brockallen
commented
1 year ago Not single sign-on. These 2 independent applications should not automatically sign in with each other's user credentials although they use the same Identity server.
This is what you have designed by having the two apps trust the same SSO provider. If you don't want that, then either use different SSO providers or use the OIDC prompt param mentioned above.
khteh
commented
1 year ago Does SSO only work on subdomains? How would IdentityServer behave if they are from different domains?
josephdecock
commented
1 year ago You can definitely have single sign on regardless of the domains of the applications.
Another option for you to prevent SSO is to set the SSO lifetime of the IdentityServer client configuration. You can set that lifetime to zero and the effect will be that whenever a user is redirected to IdentityServer as part of an OIDC challenge for that client, they will have to authenticate again. With this configuration you would be controlling the sso behavior from identity server, rather than forcing each client application to set its prompt parameter.
khteh
commented
1 year ago How to set that SSO lifetime at the server? Does that mean user has to authenticate again in a different browser tab / window of the same application?
josephdecock
commented
1 year ago SSOLifetime is a property of the client configuration model. It controls how long an SSO session will be used before forcing the user to log in again, regardless of tabs.
Which version of Duende IdentityServer are you using? Community Which version of .NET are you using? 7.0.105 Describe the bug I have 2 React.JS / Next.JS applications running in 2 different subdomains. The apps are using Identity server. It appears that when one of the application logs in the user, the second application automatically logs in with the same user credential in a different browser tab. The browser debugger shows they have different cookies with different
Domains. I don't have the chance to capture the cookie of Identity server as it disappears after the login.Identity server logs shows that the second app running in the second browser tab does make a request back to the server and it immediately, falsely identify with the first login in the first app.
How to fix this? A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior.
Expected behavior 2 different web applications at different subdomains should not share the server cookie.
Log output/exception with stacktrace
Additional context
Add any other context about the problem here.