I've done something similar by doing the following (using cookie authentication):
1 - set the cookie domain to be the TLD across all websites
My Startup.Auth.cs
looks like this:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => {
var identity = manager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie);
//some additional claims and stuff specific to my needs
return Task.FromResult(identity);
})
},
CookieDomain = ".example.com"
});
2 - update the web.config of all websites to use the same <machineKey />
Mine looks like this:
<machineKey
decryption="Auto"
decryptionKey="my_key"
validation="HMACSHA512"
validationKey="my_other_key" />
Now I can perform login operations on, say, account.example.com
, and redirect the user to site1.example.com
and they will be seen as authenticated.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…