https://supertokens.com/ logo
Join Discord
Powered by
Do you know how to redirect the user to a specific...
# support-questions-legacy
c
Do you know how to redirect the user to a specific domain/path after login? I have several applications, in different domains, my idea is to create a single login screen and redirect back to where it was after login, would this be possible using supertokens? I even read the documentation, but I saw that it is only possible to inform a path in the domain itself. Can anyone out there help me with this? Thanks for any help.
r
hey @cosmoecwsa
we do not allow cross domain redirect by default cause that can make phishing attacks "Easier". If you want to do this, what you should do is redirect to a route like 
/redirect
post login, and on that route, further redirect the user to wherever you want. So when another domain navigates to the auth domain, you can make it first navigate to auth.myapp.com/login?redirectBack=https://xxz.com&nonce=somerandomstting Then on the 
/login
route, you can save the redirectBack and none query params in session storage and redirect the the actual login screen of the auth sub domain with redirectToPath query param as 
/redirect
. Then on the 
/redirect
page, you check for if a session exists, and if it does, you read the value from session storage and redirect the user back based on the redirectBack value. The redirect can be something like 
/https://xyz.com/callback?nonce=...&jwt=...
On the 
/callback
page on xyz.com, you can check that the nonce is the same as what was sent when navigating to the auth domain, and then send the jwt to its backend. The backend verifies the jwt and creates a session on xyz.com
c
I did what you suggested, however, in my application I'm getting a cors error when trying to validate with the main domain, I've tried everything to release the cors, and nothing worked, any idea how I can solve it? I'm using python and fastapi
r
"when trying to validate with the main domain" -> could you explain this?
c
I have app A, and app B. Both authenticate to my emailpassword backend, Each application is in a different domain. If I try to call /emailpassword/session/refresh from a different domain than my backend, I get a cors error, I need to release this somehow, because my idea is to authenticate all my apps, using a single domain, although each app has its own domain.
r
so both app A and app B should have their own session that's tied to their own backends. So the refresh API call should happen to their respective backends.
3 Views
PreviousNext
Powered by