I implemented a Single Sign-On (SSO) with two application as clients. I want the user to be authenticated in the first application through the SSO Application, in the second application doesn`t need to login and authenticated again. (Share authentication cookie).
Information:
localhost:44372 => SSO
localhost:44387 => SSO Client_1
localhost:44382 => SSO Client_2
All Projects are ASP.NET 5
SSO project Code:
Startup.cs:
public void ConfigureServices(IServiceCollection services)
{
//...
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryIdentityResources(Config.GetIndentityResources())
.AddInMemoryClients(Config.GetClients())
.AddTestUsers(TestUsers.Users);
}
Config.cs:
public class Config
{
public static IEnumerable<IdentityResource> GetIndentityResources()
{
//...
}
public static IEnumerable<Client> GetClients()
{
return new List<Client>()
{
new Client()
{
ClientId = "Client_1",
ClientName = "SSO Application",
AllowedGrantTypes = GrantTypes.Implicit,
RedirectUris = {"https://localhost:44387/signin-oidc"},
PostLogoutRedirectUris = {"https://localhost:44387/signout-callback-oidc"},
AllowedScopes = new List<string>()
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
}
},
new Client()
{
ClientId = "Client_2",
ClientName = "SSO Application 2",
AllowedGrantTypes = GrantTypes.Implicit,
RedirectUris = {"https://localhost:44382/signin-oidc"},
PostLogoutRedirectUris = {"https://localhost:44382/signout-callback-oidc"},
AllowedScopes = new List<string>()
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
}
}
};
}
}
How can I share authentication between clients?
CodePudding user response:
SSO in IdentityServer is implemented not by sharing cookies, but throung delegation of authorization of Client to IdentityServer. Your client applications should use authorization endpoint to authorize with SSO. Also you need to consider using authorization_code grant_type https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926
CodePudding user response:
Cookie sharing is not about Identityserver, OpenId Connect nor any other SSO technology. It is about server-hosted app such as ASP.NET(Core)MVC or any other similar.
The authentication cookie is bound to a host and optionally path, so there is no problem there when the apps are hosted close together, however ASP.Net keeps it's auth token within the cookie and the token is usually bound to the OIdC session, so the answer should be:
When you would like to share the cookie in ASP.NET, you most likely do not need two separate clients in OIdC
One option is a single identity client with redirect urls for both apps, and another is combining your two apps into one and use internal routing for separation.
Finally it might be so that you misunderstood the conception of Single Sign On. It was designed exactly to fulfill your requirement: user logs in once to get access to several applications. It does not require to share anything, each unique client obtains its own authentication token (and optionally a number of authorization ones to access APIs).