使用JWT进行跨域身份验证的单点登录流程 [英] Single sign-on flow using JWT for cross domain authentication

问题描述

网络上有很多有关使用JWT(Json Web Token)进行身份验证的信息.但是我仍然没有清楚地解释在多域环境中将JWT令牌用于单点登录解决方案时的流程.

我为一家在不同主机上有很多站点的公司工作.让我们使用 example1.com 和 example2.com .我们需要一个单一的登录解决方案，这意味着如果用户在 example1.com 上进行了身份验证，我们希望他也可以在 example2.com 上进行自动身份验证.

使用 OpenId Connect 流，我了解到要在 example1.com 上进行身份验证的用户首先将重定向到身份验证服务器(或OP:"OpenId Provider").用户在该服务器上进行身份验证，然后使用签名的JWT令牌将其重定向回原始的 example1.com 网站. (我知道还有另一种流返回一个 intermediate token ，以后可以将其交换为真正的JWT令牌，但是我认为这对我们来说不是必需的)...

现在，该用户又回到了 example1.com 并通过了身份验证！他可以发出请求，并在Authentication标头中传递JWT令牌，并且服务器能够验证签名的JWT，因此能够识别用户.很好！

第一个问题:

JWT令牌应如何存储在客户端上?再次有很多关于此的信息，人们似乎同意使用Web Storage是行之有效的方法，而不是旧的cookies.我们希望JWT在浏览器重启之间保持不变，因此让我们使用Local Storage而不是Session Storage ...

现在，只要JWT令牌未过期，用户就可以重新启动其浏览器，并且仍将在 example1.com 上进行身份验证！

此外，如果 example1.com 需要向我们的另一个域发出Ajax请求，则我了解配置跨存储解决方案，但是广泛使用了吗?是针对跨域SSO环境的建议解决方案吗?

我们不要花哨的东西，我们会对使用最广泛的解决方案感到满意！

解决方案

应该再次将用户重定向到身份验证服务器，并获取一个新令牌(JWT)，该令牌专门针对example2.com.这就是OpenID Connect和任何其他跨域联合SSO协议的工作方式.

There is a lot of information on the web about using JWT (Json Web Token) for authentication. But I still didn't find a clear explanation of what the flow should be when using JWT tokens for a single sign-on solution in a multiple domains environment.

I work for a company which has a lot of sites on different hosts. Let's use example1.com and example2.com. We need a single sign-on solution, which means if a user authenticates on example1.com, we want him to also be authenticated on example2.com, automatically.

Using the OpenId Connect flow, I understand that the user who wants to authenticate on example1.com will first be redirected to the authentication server (or OP : "OpenId Provider"). The user authenticates on that server which then redirects him back to the original example1.com site with a signed JWT token. (I understand there is another flow which returns an intermediate token that itself can be exchanged for the real JWT token later on, but I don't think this is required for us)...

So now the user is back on example1.com and is authenticated! He can make requests, passing the JWT token in a Authentication header and the server is able to verify the signed JWT and therefore is able to identify the user. Nice!

First question :

How should the JWT token be stored on the client? There is, again, a lot of information about this, and people seem to agree that using Web Storage is the way to go rather than good old cookies. We want the JWT to be persistent between browser restarts so let's use Local Storage, not Session Storage...

Now the user can restart his browser and he will still be authenticated on example1.com, as long as the JWT token is not expired!

Also, if example1.com needs to make an Ajax request to another of our domains, I understand configuring CORS would allow that. But our main use case is not cross-domain requests, it's having a single sign-on solution!

Therefore, the main question :

Now, what should the flow be, if the user goes to example2.com and we want him to be authenticated, using the JWT token he already has? Local Storage doesn't seem to allow cross-domain access so at this point the browser can't read the JWT token to make requests to example2.com!

Should :

• The user be redirected to the authentication server again? When the user authenticated for example1.com, the authentication server may have set a cookie on the user so this new authentication request for example2.com could use that cookie to see that the user is already authenticated and immediately redirects him back to example2.com with the same JWT token?
• Or can the browser, on example2.com, access the JWT token without having to go to the authentication server again? I see there are cross-storage solutions, but are those widely used? Are they the suggested solution to a cross domain SSO environment?

We don't want anything fancy, we would be happy with the mostly used solution!

解决方案

The user should be redirected to the authentication server again and get a new token (JWT), one that is specifically targeted for example2.com. This is how OpenID Connect and any other cross-domain federated SSO protocol works.

这篇关于使用JWT进行跨域身份验证的单点登录流程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！