Cross domain HTTP POST authentication

Question

We're looking to implement a simple authenticated HTTP POST integration between two web applications, and while something like JWT should work, it seems overkill.

Use case:

1. Application A sends a POST via https to Application B with a hidden form and target=_blank.
2. Application B reads parameters from the POST body, validates and authenticates it, and redirects the user to the correct content further in Application B.

Application B's session cookies are persisted with SameSite=None to capture existing sessions in the same browser.
Application A's and B's servers can be assumed to be in separate restricted environments, so all traffic must go through the browser.
I'd like to avoid having to exchange certificates, a simple text based shared or asymmetric secret would be ideal, if sufficient.

We already have another integration where the sender sends the following:

• Payload
• Timestamp
• Hash combining payload, timestamp and a shared secret

The receiver checks if the sent hash matches a hash that is calculated by the receiver, so essentially an HMAC with a timestamp to prevent stored repeats (but dupes are not protected against, which was fine in this case). I figured adding a nonce which is cached on the receiving end would prevent dupes and just ignore CSRF as we're authenticating every request, but it just seems like this is a problem already solved by people more qualified and I should be using an existing standard or implementation.

Any recommendations? We're using .NET in case that affects library recommendations.

Answer 1

After further research it seems like TOTP ( Time-based One-Time Password ) is what we'll be going with. It meets all of our requirements, only needs a shared secret to be configured on both ends, and there are plenty of existing libraries to use.