All geek questions in one place

How to implement JWT-based single sign-on authentication logout?

I am trying to figure out how to implement a single sign-out function using Json Web Tokens.

Say we have:

  • example1.com
  • example2.com
  • authserver.com

When a user must authenticate to example1.com , it is redirected to authserver.com , which verifies the user's credentials, creates a signed JWT token, and redirects the user back to example1.com using this token. example1.com then set a cookie (or LocalStorage key), and the user will authenticate with example1.com until the token expires. Authserver.com is no longer required to authenticate a user.

The user then moves on to example2.com , which is involved in the single sign-on architecture. The user must also be authenticated, so example2.com also redirects the user to authserver.com , which recognizes the user (using the cookie set for the first time), creates a new JWT token and automatically redirects the user to example2.com . example2.com then set a cookie (or LocalStorage key), and the user will be authenticated with example2.com until the token example2.com . Authserver.com is no longer required to authenticate a user.

Now, how can the "exit" function be implemented?

If the user logs off example1.com , the JWT token on example1.com is deleted and the user no longer needs to authenticate. But as soon as he tries to get to the protected zone, example1.com redirect him to authserver.com , the user will be recognized and automatically logged in again ... Even if he just logs out!

Quetion 1) So, I think that when the user logs out of example1.com , you need to make an call to authserver.com to delete the cookie set by authserver.com so that the user won’t log in automatically?

Quetion 2) If so, what about example2.com ? Should the user still be authenticated? If not, what is the proposed stream, so example2.com knows that the JWT token it has for the user is no longer valid?

+5
source share
2 answers

1) https://openid.net/specs/openid-connect-session-1_0.html#RPLogout - this is one specification (there are other specifications for different strategies) to exit the authserver server. it defines the end_session_endpoint to which your example1.com will be redirected.

2) I think it depends on what you want. You may not want to kill the example2.com session - in this case, example2.com will continue to work. JWT for example2.com remains valid. If you want to get out of all your customers, this is a little more complicated, but possible. In my project, we exit from one client, and authserver is what we wanted.

+2
source

Alternatively, you can also implement a gateway SSO without openid, only using JWT on the client side, for example, in google web applications.

The advantage is that you do not need to redirect the user to the server to find out if the user is logged in. Changes in Logout and JWT can be automatically synchronized between tabs.

After Authserver.com returns the JWT to example1, save it in localStorage, but use the intermediate domain sso.example.com via iframe. Include this iframe in example1 and example2 (pointing to sso.example.com). IFrame will read the JWT and send a message to the page containing the token.

When the user logs out or changes the active user, the iframe can also send a message to the parent so that you can synchronize all your sites (if you want)

There is no problem with CORS because sso.example.com has access to its local repository. And the connection between the iframe is allowed if the origin and destination are recognized (see http://blog.teamtreehouse.com/cross-domain-messaging-with-postmessage )

To simplify development, we recently released a cross-domain SSO with JWT at https://github.com/Aralink/ssojwt

Summarizing your questions about this architecture 1) Clear JWT in localStorage and send javascript event 2) Listen to the event and decide what to do

+5
source

Source: https://habr.com/ru/post/1236728/

More articles:


All Articles