Hi everyone,
We’re on the enterprise plan and embedding a Retool app inside a React app. The React app is primarily so we can have multiple different subdomains and a custom login screen per tenant.
We use AWS Amplify with Cognito, where tokens are stored in localStorage. I’m considering switching to CookieStorage for automatic SSO login, as implied by the docs.
https://docs.retool.com/3.75/sso/guides/authentication/trigger-login-automatically
We can generate an embed URL, but I’m unclear on how the parent app and embedded Retool app “share authentication state.”
Here’s my assumption:
- User authenticates with AWS Cognito (OIDC provider).
- Our backend calls the Retool API to generate an embed URL (authenticated via the user’s token).
- The embedded Retool app retrieves the parent window’s session cookies and uses them to request its own access token for API calls.
Example request:
GET https://<CognitoDomain>/oauth2/authorize?response_type=code&client_id=<CognitoClientID>&redirect_uri=<RetoolRedirectURI>&scope=openid+email+profile&state=<random_state_value>
Cookies:
CognitoAuthSession=<SessionCookie>; Secure; HttpOnly
My question: Does Retool automatically use this session cookie for authentication? If so, how does the Retool app know to use that cookie? Is this just handled by the browser?
Thanks for your help!