问题
I would like to know about the best practices to handle this authentication scenario. I have a registration page called (ie https://public.domain.com/#registration), after the registration is done, I'd like to authenticate the user and redirect him to the app (ie https://app.domain.com/). I have another server where I have the authentication method, api controllers, etc (ie https://api.domain.com/Token , https://api.domain.com/api/getOrders , etc).
From the registration page (https://public.domain.com/#registration) I'm calling (https://api.domain.com/Token) to get authenticated, and storing that in sessionStorage["accessToken"] or localStorage["accessToken"]. No matter where I store this token, it won't be available in the other domain where I redirect the user to (https://app.domain.com/).
My question is: Do I have to pass the token via querystring from https://public.domain.com/#registration to https://app.domain.com/Login?Token=xxxxxxxxxxx so I can use it for storing it in localStorage or sessionStorage, and be authenticated in https://app.domain.com/ ?
How can I have that token available in multiple domains? What are the best practices for doing this? Any big security risks? I already set up my Api box with CORS, so the Token endpoint is accessible in the registration and app servers.
Also I'd like to point out that https://public.domain.com/#registration and https://app.domain.com/ are Single Page Applications, using Durandal, BreezeJS, Knockout, etc. (Hot Towel template).
回答1:
This pretty much answered my question: Single Sign On (SSO) for cross-domain ASP.NET applications
Highlights:
So, how to share the authentication cookie across multiple domains? Well, there is absolutely no way to do that. The fundamental barrier of the HTTP protocol prevents you from sharing a cookie across different domains, primarily for security reasons.
...There is no built-in mechanism in ASP.NET to implement a Single Sign On across these two different sites.
来源:https://stackoverflow.com/questions/26163432/cross-domain-token-based-authentication-using-asp-net-identity-and-asp-net-web-a