Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
699 views
in Technique[技术] by (71.8m points)

cross domain - Single Sign On (SSO) using JWT

I have read several articles about sso but could not find an answer in my mind. I have a scenario like below:

Scenario:

  • My company wants to have sso mechanism using jwt.
  • Company has 2 different domains like abc.com as abc and xyz.com as xyz.
  • Also there is a masterdomain that manages clients authentication.
  • User X wants to log in abc at first.
  • abc sends credentials to masterdomain and masterdomain authenticates user then create a signed jwt in order to send back to abc.
  • abc keeps this jwt in a cookie.
  • After a while if a login to abc is attempted at the same computer, system does not ask for credentials and automatically login the user.

Question:

If user tries to open a page in xyz domain, how does the system understand that the user loggedin before? I mean xyz domain cannot reach the cookie of abc which has the jwt. What information should be sent to xyz that indicates the user X is trying to login?

Thanks in advance

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

You can store the JWT authentication token in a cookie / localStorage of a intermediate domain connected to the home page using an iframe

cross domain sso

Scenario

  • abc sends credentials to masterdomain and masterdomain authenticates user then create a signed jwt in order to send back to abc.

  • abc masterdomain keeps this jwt in a cookie.

  • After a while if a login to abc is attempted at the same computer, system does not ask for credentials and automatically login the user.

Finally when the user enters in the second domain xyz, the jwt is recovered from masterdomain storage using the iframe, and automatically login the user

CORS is not a problem because masterdomain.com have access to its storage and communication between iframes is allowed if origin and destination are recognized (see http://blog.teamtreehouse.com/cross-domain-messaging-with-postmessage)

To simplify development, we have released recently an opensource project cross domain SSO with JWT at https://github.com/Aralink/ssojwt


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...