使用 JWT 的单点登录 (SSO) [英] Single Sign On (SSO) using JWT
问题描述
我已经阅读了几篇关于 sso 的文章,但在我的脑海中找不到答案.我有一个像下面这样的场景:
I have read several articles about sso but could not find an answer in my mind. I have a scenario like below:
场景:
- 我的公司希望有使用 jwt 的 sso 机制.
- 公司有 2 个不同的域,例如 abc.com 作为 abc 和 xyz.com 作为 xyz.
- 还有一个管理客户端身份验证的 masterdomain.
- 用户X一开始想登录abc.
- abc 向 masterdomain 发送凭据,masterdomain 对用户进行身份验证,然后创建一个签名的 jwt 以发送回 abc.
- abc 将此 jwt 保存在 cookie 中.
- 一段时间后,如果在同一台计算机上尝试登录 abc,系统不会要求提供凭据并自动登录用户.
- My company wants to have sso mechanism using jwt.
- Company has 2 different domains like abc.com as abc and xyz.com as xyz.
- Also there is a masterdomain that manages clients authentication.
- User X wants to log in abc at first.
- abc sends credentials to masterdomain and masterdomain authenticates user then create a signed jwt in order to send back to abc.
- abc keeps this jwt in a cookie.
- After a while if a login to abc is attempted at the same computer, system does not ask for credentials and automatically login the user.
问题:
如果用户试图在xyz域中打开一个页面,系统如何知道用户之前登录过?我的意思是 xyz 域无法访问具有 jwt 的 abc 的 cookie.应该向 xyz 发送哪些信息表明用户 X 正在尝试登录?
If user tries to open a page in xyz domain, how does the system understand that the user loggedin before? I mean xyz domain cannot reach the cookie of abc which has the jwt. What information should be sent to xyz that indicates the user X is trying to login?
提前致谢
推荐答案
您可以将JWT认证令牌存储在使用iframe连接到主页的中间域的cookie/localStorage中
You can store the JWT authentication token in a cookie / localStorage of a intermediate domain connected to the home page using an iframe
场景
abc 将凭据发送到 masterdomain,masterdomain 对用户进行身份验证,然后创建签名的 jwt 以发送回 abc.
abc sends credentials to masterdomain and masterdomain authenticates user then create a signed jwt in order to send back to abc.
abc masterdomain 将此 jwt 保存在 cookie 中.
abc masterdomain keeps this jwt in a cookie.
如果在同一台计算机上尝试登录 abc 一段时间后,系统不会要求提供凭据并自动登录用户.
After a while if a login to abc is attempted at the same computer, system does not ask for credentials and automatically login the user.
最后当用户进入第二个域xyz时,使用iframe从masterdomain存储中恢复jwt,并自动登录用户
Finally when the user enters in the second domain xyz, the jwt is recovered from masterdomain storage using the iframe, and automatically login the user
CORS 不是问题,因为 masterdomain.com 可以访问其存储空间,并且如果识别出源和目标,则允许 iframe 之间的通信(请参阅 http://blog.teamtreehouse.com/cross-domain-messaging-with-postmessage)
CORS is not a problem because masterdomain.com have access to its storage and communication between iframes is allowed if origin and destination are recognized (see http://blog.teamtreehouse.com/cross-domain-messaging-with-postmessage)
为了简化开发,我们最近在 发布了一个开源项目使用 JWT 的跨域 SSOhttps://github.com/Aralink/ssojwt
To simplify development, we have released recently an opensource project cross domain SSO with JWT at https://github.com/Aralink/ssojwt
这篇关于使用 JWT 的单点登录 (SSO)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
