I would like to use one service from multiple webapp with CredentialsAuthProvider.
How can I separate sessions per AppId? Now If I log in AppA with UserA then switch to AppB and log in with same user, the session shared between the two apps.
You can’t with Credentials AuthProvider, there’s only a single UserSession per user, not per App. If the Apps were on different domains you could have separate User Sessions then, but they’d be separate not shared.
If you had different roles per App, then you could protect your Apps by whether or not the User was in the specified Role, but there’d only be a single login.
Thank you for your clarification.
I log in to the AppA with UserA then open a new tab and log in to the AppB with UserB. If I refreshed AppA the ss-id changed to the last logged user's (UserB) ss-id. Is there any chance to use the two apps in one browser at the same time or I have to create a service for AppA and another one for AppB?
If you want 2 different logins at the same time, you’ll need to have apps on 2 different domains, e.g:
This question is about
CredentialsAuthProvider, if you use JWT there's still only 1
ss-tok Cookie or HTTP Authentication Bearer Token to maintain an Authenticated Session in. The general strategy would be to use multiple Audiences to specify which Services/Apps the user has access to. So there still would only be 1 login, but they could use that to access multiple Apps/Services
Whichever approach you take, if you share Authentication you'll also share the single Authentication UserSession between both apps. There would still only be 1 login which you'd want to somehow include in the UserSession which Apps the User has access to. I suggested having different Roles, but you could also maintain a custom property like App names. But if you were to use JWT instead you would use its Audience to distinguish which Apps/Services that their Authenticated UserSesion applies to.
Ultimately the mechanism is unimportant, if you want 2 separate logins which users can be logged into at the same time you would need to host each App on their own domain as there is only one Session Cookie or BearerToken that's used for Authentication.