When the SSO feature is activated for your account, ReachFive manages the end user’s cookie session.

When a user logs in, a session cookie is created on your ReachFive tenant ( This allows the user to not having to log in again on a later visit, or when accessing another website linked to the same ReachFive account.

On your website, the state of the session must be checked before displaying the login UI. If a session is active, the user must be directly authenticated and the login UI bypassed.

Configure Session duration

  1. In the ReachFive Console, go to Security  SSO.

  2. Set the Session lifetime in days (default is 3 days).

  3. Set the Require log in after in days (maximum value is 365 days in compliance with the GDPR).

  4. If desired, specify the Allowed logout callback URLs.

    This is optional. If URLs are specified here, the user will only be redirected to these whitelisted URLs. See the logout page for more details.
  5. Don’t forget to Save your input.

The setting is active immediately to all clients within the ReachFive account.

Session duration is renewed with the next /oauth/authorize operation or the equivalent SDK method, for instance checkSession or loginFromSession. If the cookie session lifetime expands beyond the Require login after parameter period, then the user will be forced to re-authenticate.

Using the ReachFive authentication widget

When using the ReachFive authentication widget, this process is implemented transparently:

// If a session is active, the widget will not be displayed, and the
// authentication process will be triggered with the specified auth parameters.
reach5('showAuth', {
  container: document.body,
  auth: {
    redirectUri: ''

Using a custom UI

With a custom UI, you must explicitly check the session state (with the getSessionInfo command) before displaying the UI.

If a session is active, you can use the loginFromSession command to authenticate the user.

var authOptions = {
    redirectUri: ''

reach5('getSessionInfo', function (err, session) {
    if (session.isAuthenticated) {
        // If a session is active, trigger the authentication process
        reach5('loginFromSession', authOptions, function (err) {
          document.getElementById("login-form").style.display = 'block';
    } else {
      // If not, display the login form
      document.getElementById("login-form").style.display = 'block';

Silent authentication

Use Silent Authentication to authenticate users on your website’s public pages without triggering a browser redirect.

It allows to retrieve an id token and an access token directly, without a redirect (the authentication process happens in a hidden iframe).

      nonce: 'abcd' // The nonce links the retrieved id token with the local session
    function (err, authResult) {
      if (err) {
        if (err.error === 'login_required') {
          // No active session
        } else {
          // Unexpected error
      } else {
        // Authenticate the current user locally