Share token between different domains
Question
I'm looking a way to securely share a token between one webapp with the front-end of a second webapp.
Environment details:
- webapp.local : A PHP webapp that stories some data that are restricted to specific users. This webapp is accessible by VPN only.
- otherwebapp.example : This is a Zendesk instance, it allows us to create a plugin (HTML + JavaScript) that is loaded on the client-side.
Notes:
- webapp.local and otherwebapp.example use different domains (they aren't sub-domain).
- otherwebapp.example is not able to access the webapp.local . But the front-end will be able (the user are connected to the VPN).
I did some research, and found some options:
- HTTP Coockies : the "SameSite" need to be "None" ( reference ), is it a secure option? I did some tests and seems that they need to be on the same sub-domain.
- JS postMessage : It will need to open a popup or a iframe, I did some tests but still trying to make it works.
The question is: Is there a best practice or another way to share a sensitive data (token) between a webapp and a front-end located on other domain/app?
1 answers
solution1
0 2021-03-24 22:06:16
I think there is not a fully secure way to do it because you want to handle the share on the client side and that will be always exposed, though you can take a different approach like share a request token via GET param to the second webapp and there call a validation API that validates the origin of the request (should be restricted to the second webapp domain) and also validate the passed token and then return the actual session token.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.