使用JWT进行单点登录(SSO)
[英]Single Sign On (SSO) using JWT
问题描述
I have read several articles about sso but could not find an answer in my mind. 
我已经阅读了几篇关于sso的文章,但在我的脑海中找不到答案。 I have a scenario like below: 我有一个如下情况:
Scenario: 场景:
- My company wants to have sso mechanism using jwt. 我的公司想要使用jwt的sso机制。
- Company has 2 different domains like abc.com as abc and xyz.com as xyz . 公司有两个不同的域名,如abc.com为abc , xyz.com为xyz 。
- Also there is a masterdomain that manages clients authentication. 还有一个管理客户端身份验证的masterdomain 。
- User X wants to log in abc at first. 用户X首先想要登录abc 。
- abc sends credentials to masterdomain and masterdomain authenticates user then create a signed jwt in order to send back to abc . abc将凭据发送到masterdomain , masterdomain对用户进行身份验证,然后创建一个签名的jwt,以便发送回abc 。
- abc keeps this jwt in a cookie. abc将这个jwt保存在cookie中。
- After a while if a login to abc is attempted at the same computer, system does not ask for credentials and automatically login the user. 如果在同一台计算机上尝试登录abc一段时间后,系统不会要求提供凭据并自动登录用户。
Question: 题:
If user tries to open a page in xyz domain, how does the system understand that the user loggedin before? 如果用户尝试在xyz域中打开页面,系统如何理解用户之前登录过? I mean xyz domain cannot reach the cookie of abc which has the jwt. 我的意思是xyz域无法访问具有jwt的abc的cookie。 What information should be sent to xyz that indicates the user X is trying to login? 应该向xyz发送哪些信息表明用户X正在尝试登录?
Thanks in advance 提前致谢
1 个解决方案
解决方案1
9 已采纳 2016-11-11 20:47:57
You can store the JWT authentication token in a cookie / localStorage of a intermediate domain connected to the home page using an iframe 您可以使用iframe将JWT身份验证令牌存储在连接到主页的中间域的cookie / localStorage中
Scenario 脚本
abc sends credentials to masterdomain and masterdomain authenticates user then create a signed jwt in order to send back to abc.
abcmasterdomain keeps this jwt in a cookie.abcmasterdomain将这个jwt保存在cookie中。After a while if a login to abc is attempted at the same computer, system does not ask for credentials and automatically login the user.
Finally when the user enters in the second domain xyz , the jwt is recovered from masterdomain storage using the iframe, and automatically login the user 最后,当用户进入第二个域xyz时 ,使用iframe从masterdomain存储中恢复jwt,并自动登录用户
CORS is not a problem because masterdomain.com have access to its storage and communication between iframes is allowed if origin and destination are recognized (see http://blog.teamtreehouse.com/cross-domain-messaging-with-postmessage ) CORS不是问题,因为masterdomain.com可以访问其存储,并且如果识别出源和目标,则允许iframe之间的通信(请参阅http://blog.teamtreehouse.com/cross-domain-messaging-with-postmessage )
To simplify development, we have released recently an opensource project cross domain SSO with JWT at https://github.com/Aralink/ssojwt 为了简化开发,我们最近在https://github.com/Aralink/ssojwt上发布了一个带有JWT的开源项目跨域SSO
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.