Device ID Consistency Across OAuth Provider and Main Application #1089
Replies: 1 comment 4 replies
-
|
Hi @Sertturk16
I am not sure this is true, at least I cannot reproduce it, I am getting the same device ID using FingerprintJS in two different domains. |
Beta Was this translation helpful? Give feedback.
-
|
Hi In my case, one of the device IDs is generated by a mobile application, while the other is generated by a webview, which is why I believe different device IDs are being obtained. Do you think this could be the case? Thanks for your interest. |
Beta Was this translation helpful? Give feedback.
-
|
Just to clarify, you are talking about the source-available FingeprintJS, correct? Because that only works in browsers, not in native mobile applications. |
Beta Was this translation helpful? Give feedback.
-
|
We use fingerprintjs-pro-react-native in mobile app |
Beta Was this translation helpful? Give feedback.
-
|
Okay, sorry about the confusion. You are using the commercial Fingerprint platform, not FingerprintJS. The JavaScript agent of Fingerprint (Pro) generates the same visitor ID even on different web domains, as long as both domains use public API keys belonging to your (one) Fingerprint workspace. But if you are using React Native, that's just a wrapper for underlying native Android and iOS SDKs. Those IDs are different than the ones generated on the web. Is your main application using React Native? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I’m working on an authentication system with two separate domains:
OAuth provider → Handles login, password reset, 2FA, etc.
Main application → Requests access tokens from the OAuth provider and handles user interactions.
On the main application, we use FingerprintJS to generate a device-id and send it when requesting an access token. Once authenticated, this device-id is included in the X-Device-Id header for every request, allowing us to associate user actions with their device in our logs.
The issue arises on the OAuth provider. Before the user is authenticated, we want to log login attempts, password resets, and 2FA actions along with a consistent device-id. However, since the user has not yet obtained an access token, we don't have an associated device-id. Implementing FingerprintJS separately on the OAuth provider results in a different device ID, as expected, due to how FingerprintJS generates IDs per domain.
What We Cannot Do:
We cannot pass the device-id from the main application to the OAuth provider via cookies or URL parameters due to security concerns.
Since FingerprintJS generates IDs differently per domain, running the same logic separately on the OAuth provider does not produce the same device-id.
What We Need:
Is there a recommended way to generate a consistent device identifier across multiple related domains using FingerprintJS? Ideally, we would like the device-id to be the same across the OAuth provider and the main application for the same user/device.
If that’s not possible, is there any alternative approach you would suggest for tracking the same device across an OAuth provider and a main application without compromising security?
Thanks in advance
Beta Was this translation helpful? Give feedback.
All reactions