Single sign-on flow using JWT for cross domain authentication

by

Redirecting the user to the central authentication service when the user is not logged in to request credentials and issue a new authentication token is the common scenario in Single Sign On systems using well-known protocols like oauth2 or OpenId Connect

However when this schema is used across domains the main drawback is that the user is going to be redirected and authenticated each time he navigates to other domain due to same-origin policy: the access token can not be shared between domains (example2.com can not access data of example1.com), so the target domain will treat user as unauthenticated, redirecting him to the central SSO service.

To prevent the authentication service from re-requesting credentials, it is common to have a session cookie (not an access token), but there is a tecnique to share data across domains using browser localStorage/cookies and a iframe pointing to an intermediate domain sso.example.com

  1. To authenticate the user in example1.com, redirect him to the authentication server in sso.example.com, issue a JWT after authenticating and store it in the localStorage of this domain. After this, redirect user to the origin domain example1.com

  2. Create an iframe in example2.com pointing to sso.example.com. The iframe in sso.example.com reads the JWT token and sends a message to the parent page

  3. The parent page receives the message and gets the attached token continuing with the SSO flow

There is no problem with same-origin policy because sso.example.com has access to its localStorage and the communication between iframe and the parent page is allowed if origin and target domains recognize each other (see http://blog.teamtreehouse.com/cross-domain-messaging-with-postmessage)

To simplify development, we have released recently a cross domain SSO with JWT at https://github.com/Aralink/ssojwt

This method is perfectly compatible with SSO flows. It is just a way to share the authentication token without redirections and avoid unnecessary log-ins when the domains are federated

More Related Contents:

  1. What’s the difference between OpenID and OAuth?
  2. Single Sign On across multiple domains [closed]
  3. What if JWT is stolen?
  4. How to get a JWT?
  5. What are the main differences between JWT and OAuth authentication?
  6. Google OAuth 2 authorization – Error: redirect_uri_mismatch
  7. Set cookies for cross origin requests
  8. Where to store JWT in browser? How to protect against CSRF?
  9. How can I extend ServiceStack Authentication
  10. Socket.IO Authentication
  11. Why is there an “Authorization Code” flow in OAuth2 when “Implicit” flow works so well?
  12. Forgot Password: what is the best method of implementing a forgot password function?
  13. How Spring Security Filter Chain works
  14. Verifying JWT signed with the RS256 algorithm using public key in C#
  15. How to use UrlFetchApp with credentials? Google Scripts
  16. how to implement login auth in node.js
  17. What is the purpose of a “Refresh Token”?
  18. Kafka SASL zookeeper authentication
  19. CSRF Token necessary when using Stateless(= Sessionless) Authentication?
  20. Keycloak retrieve custom attributes to KeycloakPrincipal
  21. What is the Authorized Javascript Origin for a webapp powered by Google Script?
  22. IIS7: Setup Integrated Windows Authentication like in IIS6
  23. OWIN – Authentication.SignOut() doesn’t seem to remove the cookie
  24. How to use Windows Active Directory Authentication and Identity Based Claims?
  25. In Subversion can I be a user other than my login name?
  26. Microservice Authentication strategy
  27. Best practices for server-side handling of JWT tokens [closed]
  28. Where can I find a list of OpenID Provider URLs? [closed]
  29. Multiple IdentityServer Federation : Error Unable to unprotect the message.State
  30. How can I use persisted cookies from a file using phantomjs

Leave a Comment