Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Understanding the correct method for implementing simple SSO #497

Closed
PieterLutz opened this issue Nov 3, 2014 · 5 comments
Closed

Understanding the correct method for implementing simple SSO #497

PieterLutz opened this issue Nov 3, 2014 · 5 comments
Assignees
Labels

Comments

@PieterLutz
Copy link

We currently have the following situation:

App1, a Javascript SPA using a modified OAuthClient.js to enable Authorization Code Flow. We use IdSrv.v3 to authenticate and exchange the authorization code for an Access Token to be used as Bearer token on local WebAPI. No problems thus-far.

App2, an ASP.NET Forms Application, is also registered with IdSrv.v3 as a client/RP and using Authorization Code Flow. App2 hosts an aspx webpage that will be called via a hyperlink/URL from App1. This will result in a new browser tab/instance displaying the said App2 ASP.NET page.

We are clearly looking for SSO behaviour, so what would be the correct method to follow to get access to the page as discussed above without the user having to log in again at IdSrv.v3 redirected from App2?

Your hard work is much appreciated!!

@leastprivilege
Copy link
Member

IdentityServer issues a cookie after successful login - so you should not see the login screen twice during a session.

@PieterLutz
Copy link
Author

Thank you for confirming this, the simplicity on the implementation side of things is really what makes IdSrv shine. We got somewhat sidetracked by complicating the issues at hand and in the process overlooked the obvious.

@PieterLutz
Copy link
Author

So after initially authenticating at IdSrv.v3 via App1, and while handling the http request (originating from clicking the App1-hyperlink) on App2 we would need to store the requested url (together with query string) in a session variable.

Then when the authorization round-trip to IdSrv.v3, via App2, returns to our App2 callback page, and we see that we still have a valid session going - we could extract the originally requested url from the session and redirect the user the requested page.

Would that be a safe and advisable way to go about it or is there a better way?

@leastprivilege
Copy link
Member

Use your favourite state keeping mechanism - e.g. a cookie for server based apps - or local storage for JS

@leastprivilege
Copy link
Member

I will close this since this is not related anymore to the topic.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants