I am working on creating an sso solution using oidc-provider and oidc-client-ts using authorization code flow with pkce. I have the core configuration items in place and can go through the flow up to getting the response with the access_token and id_token. I am working on implementing the httpOnly cookie scenario but am confused on how the sso would be achieved if I have two apps on the same subdomain and a third app that is completely external to the domain.
-
How would the httpOnly cookie carry over to subsequent apps after the initial log in and if it would not what strategy would I need to make this happen?
-
How would the oidc-provider know this user is already logged in once the request is made to the other applications?