Cross-site auth via auth.oriz.in
Cross-site auth via auth.oriz.in
Concept
The Firebase project oriz-app exposes its auth handler at the custom
domain auth.oriz.in. Every site (*.oriz.in) and every browser
extension funnels sign-in through that one domain, so the user signs
in once and is signed in everywhere.
How it works
- Firebase project
oriz-appis configured with custom auth domainauth.oriz.in - Sites configure the Firebase web SDK with
authDomain: 'auth.oriz.in'(via@chirag127/firebase-init) - Browser tabs on
*.oriz.inshare Firebase's IndexedDB-backed auth state through cookie-less, third-party-safe redirect flows centred onauth.oriz.in - Chrome / Firefox / Edge extensions use
chrome.identity.launchWebAuthFlow()to bounce throughauth.oriz.in. The returned ID token is stored inchrome.storage.local - Every surface — sites and extensions — reads the same
users/{uid}/subscriptiondoc to gate features - Auth UI lives in
@chirag127/auth-uire-exported from@chirag127/oriz-kit. Each site styles via[data-oriz-account-*]attribute hooks; oriz-kit ships no styles.
Why this shape
A custom auth domain achieves three things at once:
- Recruiters never see a
firebaseapp.comURL during sign-in - Auth state survives browser third-party cookie restrictions, since
auth.oriz.inis same-site with every*.oriz.insubdomain - Extensions can use the standard
chrome.identityflow without each needing its own OAuth client
The single Firebase project also keeps the user model simple — one
uid per human across the entire family, so subscription unlocks
flow naturally.
Cross-refs
- The Spark plan that hosts this → layer-3-auth-firebase-spark.md
- How extensions plug in → extension-distribution.md
- What signing in unlocks → subscription-flow.md
- Where the shared auth UI lives → the-23-packages.md