跨域登录 - 如何在用户从一个域转移到另一个域时自动登录 [英] Cross Domain Login - How to log a user in automatically when transferred from one domain to another

问题描述

我们提供多种在线服务.如果用户从一个服务(在 domain1.com 上)转移到另一个服务(在 domain2.com 上)，我们需要开发一个系统，为用户提供快速/简单的体验>).

We offer a number of online services. We are required to develop a system which provides a quick/simple experience for users if they are transferred from one service (on domain1.com) to another service (on domain2.com).

是否有一种安全可靠的方法可以在用户转移到新服务后自动登录?

Is there a safe and secure way to log a user in automatically once he has been transferred to the new service?

如果以下解决方案完全不安全/错误，请对我大喊大叫.

Yell at me if the solution below is completely insecure/wrong.

我们正在考虑一个类似于许多在线服务提供的密码恢复系统 - 他们会通过电子邮件发送一个带有唯一哈希的链接，该哈希会过期，允许他们更改密码.

We were considering a system similar to that provided by a number of online services for password recovery - they are emailed a link with a unique hash which expires, that allows them to change their password.

domain1.com 站点会生成一个唯一的哈希值并将其存储在一个数据库中，该哈希值与一个用户以及一个过期日期时间字段相关联.

The domain1.com site would generate a unique hash and store it in a database with the hash linked to a user along with an expire datetime field.

用户将被转移到domain2.com/auto/?hash=d41d8cd98f00b204e9800998ecf8427e

domain2.com 接下来将使用哈希向 domain1.com 发出请求，以获取有关用户的信息.domain1.com 然后将从数据库中删除哈希.domain2.com 将用户登录并设置 cookie 等.

domain2.com would next make a request to domain1.com with the hash to get the information about the user. domain1.com would then remove the hash from the database. domain2.com would log the user in and set cookies, etc.

基于 OpenID 或 OAuth 的东西能达到相同的结果吗?

Could something based on OpenID or OAuth achieve the same results?

推荐答案

单点登录 (SSO) 在概念上非常简单.

Single sign-on (SSO) is conceptually pretty simple.

• 用户点击domain1.com.
• domain1.com 发现没有会话 cookie.
• domain1.com 重定向到 sso.com
• sso.com 显示登录页面，并获取凭据
• sso.com 为用户设置会话 cookie
• sso.com 然后重定向回 domain1 到一个特殊的 url(如 domain1.com/ssologin)
• ssologin URL 包含一个基本上由 sso.com签名"的参数.它可以像使用共享密钥对 loginid 进行 base64 加密一样简单.
• domain1.com 获取加密的令牌，对其进行解密，然后使用新的登录 ID 登录用户.
• domain1 为用户设置会话 cookie.

• User hits domain1.com.
• domain1.com sees there's no session cookie.
• domain1.com redirects to sso.com
• sso.com presents login page, and take credentials
• sso.com sets session cookie for the user
• sso.com then redirects back to domain1 to a special url (like domain1.com/ssologin)
• the ssologin URL contains a parameter that is basically "signed" by the sso.com. It could be as simple as a base64 of encrypting the loginid using a shared secret key.
• domain1.com takes the encrypted token, decrypts it, uses the new login id to log in the user.
• domain1 sets the session cookie for the user.

现在，下一个案例.

• 用户点击 domain2.com，它跟在 domain1 之后并重定向到 sso.com
• sso.com 已经有用户的 cookie，所以不显示登录页面
• sso.com 使用加密信息重定向回 domain2.com
• domain2.com 用户登录.

• User hits domain2.com, which follows domain1 and redirects to sso.com
• sso.com already has a cookie for the user, so does not present the login page
• sso.com redirects back to domain2.com with the encrypted information
• domain2.com logs in the user.

这是其工作原理的基本原理.你可以让它更健壮，功能更丰富(例如，这是SSOn，但不是SSOff，用户可以注销"domain1，但仍会登录到 domain2).您可以使用公钥来签署凭据，您可以请求从 SSO 服务器传输更多信息(如授权权限等).您可以进行更亲密的集成，例如域会定期检查用户是否仍然拥有来自 SSO 服务器的权限.

That's the fundamentals of how this works. You can make it more robust, more feature rich (for example, this is SSOn, but not SSOff, user can "log out" of domain1, but still be logged in to domain2). You can use public keys for signing credentials, you can have requests to transfer more information (like authorization rights, etc) from the SSO server. You can have more intimate integration, such as the domains routinely checking that the user still has rights from the SSO server.

但是使用重定向通过浏览器的 cookie 握手是所有这些 SSO 解决方案所基于的关键基础.

But the cookie handshake via the browser using redirects is the key foundation upon which all of these SSO solutions are based.

这篇关于跨域登录 - 如何在用户从一个域转移到另一个域时自动登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！