问题
I've got multiple web apps running across multiple domains. I want to implement Single Sign-On, so that a user signs in once to access all apps.
How should I implement this? All apps use NodeJS backend.
General pointers in the right direction are welcome.
回答1:
As your apps are running on different domains, you can no way share cookies between those APPS running on client machine to validate the user. So somehow information needs to be shared on server end.
Simplest solution that comes to my mind is-
Have a shared session for all servers.
Hava specific authentication domain and redirect users there whenever authentication is needed. Authenticate user there and set a session cookie or token whatever you want.
Whenever any app of yours needs authentication, redirect it to authentication domain. Authentication cookie will be served to authentication domain as well as the referrer domain. On seeing that you are already validated, authentication server can redirect you to original app with proper sessionID, which will be set as cookie for that domain.
If not authenticated, user will be asked to authenticate on authentication server and then the redirection will happen.
With little changes, you can achieve this using tokens and without need of shared sessions.
Validate the states properly before implementing it. More states in your mechanism means more chances of bugs and possible attacks.
Consider moving your apps on same sub-domain. If the authentication mechanism is same then everyone knows that all apps belong to same company. It will be also be easier for people to remember various sub domains on same domain rather than remembering all different domains.
回答2:
The most used project is http://passportjs.org/ that is pretty much the only one I use, has great connectors to on premise soltions like ADFS and third party ones like google, facebook.
来源:https://stackoverflow.com/questions/43631581/how-to-do-single-sign-on-with-nodejs