使用JWT的单点登录(SSO) [英] Single Sign On (SSO) using JWT

问题描述

我已经阅读了几篇有关sso的文章，但在我的脑海中找不到答案. 我的情况如下:

场景:

• 我的公司希望使用jwt具有sso机制.
• 公司有2个不同的域，例如 abc 作为 abc ， xyz.com 作为 xyz .
• 还有一个主域，用于管理客户端身份验证.
• 用户 X 要首先登录 abc .
• abc 将凭据发送到 masterdomain ，并且 masterdomain 对用户进行身份验证，然后创建一个已签名的jwt，以便将其发送回 abc .
• abc 将此jwt保留在cookie中.
• 过一会儿，如果尝试在同一台计算机上登录 abc ，系统将不会要求提供凭据并自动登录用户.

问题:

如果用户尝试打开 xyz 域中的页面，系统如何理解用户之前登录过?我的意思是 xyz 域无法访问具有jwt的 abc 的cookie.应将什么信息发送到 xyz ，以指示用户 X 正在尝试登录?

预先感谢

解决方案

您可以将JWT身份验证令牌存储在使用iframe连接到首页的中间域的cookie/localStorage中

场景

• abc 将凭据发送到 masterdomain ，并且 masterdomain 对用户进行身份验证，然后创建一个已签名的jwt以便将其发送回abc. /p>

• abc masterdomain 将此jwt保留在cookie中.

• 过一会儿，如果尝试在同一台计算机上登录 abc ，则系统不会要求提供凭据并自动登录用户.

最后，当用户进入第二个域 xyz 时，将使用iframe从 masterdomain 存储中恢复jwt，并自动登录用户

CORS 没问题，因为 masterdomain.com 有权访问iframe，并且如果识别出起点和终点，则允许在iframe之间进行通信(请参见 https://github.com/Aralink/ssojwt

I have read several articles about sso but could not find an answer in my mind. I have a scenario like below:

Scenario:

• My company wants to have sso mechanism using jwt.
• Company has 2 different domains like abc.com as abc and xyz.com as xyz.
• Also there is a masterdomain that manages clients authentication.
• User X wants to log in abc at first.
• abc sends credentials to masterdomain and masterdomain authenticates user then create a signed jwt in order to send back to abc.
• abc keeps this jwt in a cookie.
• After a while if a login to abc is attempted at the same computer, system does not ask for credentials and automatically login the user.

Question:

If user tries to open a page in xyz domain, how does the system understand that the user loggedin before? I mean xyz domain cannot reach the cookie of abc which has the jwt. What information should be sent to xyz that indicates the user X is trying to login?

Thanks in advance

解决方案

You can store the JWT authentication token in a cookie / localStorage of a intermediate domain connected to the home page using an iframe

Scenario

• abc sends credentials to masterdomain and masterdomain authenticates user then create a signed jwt in order to send back to abc.

• abc masterdomain keeps this jwt in a cookie.

• After a while if a login to abc is attempted at the same computer, system does not ask for credentials and automatically login the user.

Finally when the user enters in the second domain xyz, the jwt is recovered from masterdomain storage using the iframe, and automatically login the user

CORS is not a problem because masterdomain.com have access to its storage and communication between iframes is allowed if origin and destination are recognized (see http://blog.teamtreehouse.com/cross-domain-messaging-with-postmessage)

To simplify development, we have released recently an opensource project cross domain SSO with JWT at https://github.com/Aralink/ssojwt

这篇关于使用JWT的单点登录(SSO)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！