设计OAuth2身份验证流程

Question

I am trying to come up with a proper OAuth2 authentication flow for a parent/child relationship.
App-A and App-B are two independent applications. App-A opens up App-B in an iframe when clicks on a link from App-A .

I am responsible for maintaining App-B .
How can I design the flow in a way so that App-B recognizes users coming from App-A and keep the same session across both the applications?

This is the flow I have come up with so far:

1. App-A will provide a client-id and secret-key to App-B before the interaction.

2. User makes a request to GET /person endpoint of App-B with a parentId .

3. App-B will then sends a request to App-A server with client-id, secret-key and redirect-url set as GET /person .

Now what App-A will send to App-B to pass the session info of authenticated user.

If the flow doesn't make sense, you can get rid of it

Answer 1

Your problem is similar to maintaining session in multiple apps.

The problem with your approach is you need make that request from front end or some Way to AppA (which maintains current user session) which exposes client id/secret

Here is some ideas you could achieve it,

Is both application is under same parent domain? if so,

Like appA.domain.com and appB.domain.com Then after successful authentication, you can set some session identifier cookie in parent domain *..domain.com Then from appB you can get the get the current user session from which you can get the accessToken too.

If both applications are in different domain , then

you need to have some common auth server which will maintain session commonly , so when appA loads and found no session available , then it can redirect to common auth server , which in turns check session ( if not let user login ) then send the data back to appA

The same flow goes for appB.

Also check this link http://merbist.com/2012/04/04/building-and-implementing-a-single-sign-on-solution/