How to share session information between two next.js apps? (SSO)

[jjmendozabdev]

I'm having an issue trying to share the session information between two next.js apps that are in different subdomains. This is the configuration that I have in the [...nextauth].ts file:

import NextAuth, { InitOptions } from 'next-auth';
import { NextApiRequest, NextApiResponse, SessionBase } from 'next-auth/_utils';

const useSecureCookies = process.env.NEXTAUTH_URL.startsWith('https://');
const cookiePrefix = useSecureCookies ? '__Secure-' : '';
const hostName = new URL(process.env.NEXTAUTH_URL).hostname;
const domain =
    hostName === 'localhost'
        ? hostName
        : hostName.substring(hostName.indexOf('.'));
const options: InitOptions = {
    cookies: {
        sessionToken: {
            name: `${cookiePrefix}next-auth.session-token`,
            options: {
                httpOnly: true,
                sameSite: 'lax',
                path: '/',
                secure: useSecureCookies,
                domain,
            },
        },
    },
    providers: [
        {
            ...
        },
    ],
};

export default (req: NextApiRequest, res: NextApiResponse<any>) =>
    NextAuth(req, res, options);

app 1 running on https://abc.mydomain.com:

I successfully log in and can see the profile information. The cookie "__Secure-next-auth.session-token" is set to the domain ".mydomain.com"

app 2 running on https://xyz.mydomain.com:

The cookie is not present and even gets removed from "abc.mydomain.com" as soon as I enter to this app.

So, why the cookie is removed as soon as I enter to this subdomain?
What is the proper configuration to have this SSO across subdomains implemented? I have the next-auth library in both apps and the same configuration with the pages/api/auth/[...nextauth].ts. Is this correct?

[balazsorban44]

Duplicate of #794

[jjmendozabdev]

@balazsorban44 The post that you are indicating doesn't explain why the cookie is deleted or how implement the configuration to share the sessions between the apps. Any idea of how to get it working? Thanks in advance

[balazsorban44]

Didn't say I had a solution, just that this issue was a duplicate. For easier maintenance, when an issue has already been opened before, we try to point to the oldest one and close any other

[jjmendozabdev]

I have read that post that you mentioned and doesn't answer my question. So closing this issue doesn't help me much :s

[balazsorban44]

I understand. I haven't said either that someone there solved your problem, but as a maintainer of a popular library, it is easier to keep track of fewer issues with a single source of truth, in case we have feedback or new information related to one. And that we we don't have to track down multiple related issues that are already reported.

This is also mentioned in the "Read before creating a new issue" #419

Maybe not word by word, but it should also make common sense to not re-report existing issues as it just created maintaining overhead.

[DanielF93Dev]

Im using google Oauth, I just tested 2 local environments on port 3000 and 3001, and adding the same credentials to both applications and also authorizing the redirect URIs at google, seems to be working, imma test later in my own public subdomais, cause that would do the trick