All geek questions in one place

JWT current for cross-domain authentication

I am trying to create a simple PHP single sign-on system for two domains that are thematically related.

So I was wondering if it is possible to store a signed JWT token containing the username of the user from domain A, in local storage. And then check the JWT using the same secret key from domain B, which will lead to successful authentication.

I have a Google search engine for some answers, and I found some of them containing a medium authentication domain that would take care of authentication. But I would just like to link the two domains that I have.

Thanks.

+6
source share
2 answers

Access to a data warehouse with cross-data from domain B to domain A is not allowed for a policy of the same origin

Access to data stored in a browser, such as localStorage and IndexedDB, is shared by origin. Each origin gets its own repository , and JavaScript in one source cannot read or write to the storage belonging to another source.

The usual solution is to have a central domain for authentication (maybe A or B) and work with redirection among domains sending JWT or s to declare an authentication token in domains using iframes. More here

The OpenId, OAuth and SAML protocol works with redirection, and, for example, the Google web application has its own applications connected via iframes (in addition, google is an openid-connect provider)

+2
source

There is no reason why you cannot do this. JWT is really nothing special, it's just a token, similar to a session id token. The difference between a JWT and any other token is that it can contain a data payload.

What you are describing is essentially providing an OAuth 2.0 password. Your single sign-on system is an authorization server that can authenticate users and provide them with an access token. In this case, the access token may be JWT. Then users (resources) can use their access tokens to access resource servers (other other related domains), these resource servers can verify that the access token is valid and allow or deny requests.

I use the following library when implementing OAuth 2.0 in PHP: https://oauth2.thephpleague.com/ - there is also good information in the docs there.

0
source

Source: https://habr.com/ru/post/1014970/

More articles:


All Articles