Cross-domain authentication ASP.net MVC

Question

I have two different web application built with ASP.net MVC. This two application may not be running in the same server nor in the same domain.

I would like that if a user login in one of them, automatically should be login in the other. The same should work with logout.

Which do you think is the best solution? Do you know about some example code?

Thanks!

--- EDITED WITH MORE INFO ---

Use case scenario:

The user has the web application A opened on a tab, and at some point of the app there is a link that redirects the user to the web application B. If he is logged in on A, I would like to show him the full page, and if he is not, redirect him to the login form.

Why I need to do it:

Applications A and B are already built. Apparently, the only way of accessing B is clicking on the link located in A, that only is shown if you have previously logged. The problem is that if you know the URL of some page of B (are long and complex, but still) you can write it on the browser and access B, which it means a security problem.

Answer 1

My Answer may not be the the best one, However you can use some tricky mechanism like

1. whenever you are going on another application you need to pass one token from application A to B.
2. Validate this token on B site.
3. and Authorized that user based on token. (i mean apply silent or backdoor login)

Answer 2

I assume you cannot communicate between applications A and B using any shared store. (This could allow some shared session implementation).

The more industry standard way (OpenID Connect) of doing that is like some of the other answers have hinted at. I will try and give more details to get you on the right track.

Both application A and B should relay the authentication process to a trusted 3rd party (which could be hosted in withe A, B or a different application altogether) - Let's call it C

When the user arrives at either A or B (no matter that B has weird complicated URLs, she can always bookmark those) his request should contain an authorization token. If it doesn't, she is not authenticated and would be redirected to C and presented with some login mechanism - say user/pass form.

After successful login, she is redirected back to A/B (depending on where she came from) to complete what ever she was doing with the authentication token. Now, having the authentication token present she is authenticated.

If she is authenticated with A and then redirected to B, this redirect should contain the token as well, B would know how to trust that token.

Now, If he just opens opens up a new tab, B would not see any token, and so she would be redirected to C, only to be redirected back (she is already authenticated, remember?) to B with the token, and now all is good.

What I described is a common flow using OpenID connect, and if using .net, I really suggest using IdentityServer from Thinktecture to do the hard work for you and be your "C".

Another option, is to pay for such "C" hosted as a SaaS application - check out Auth0

Answer 3

You can implement OAuth in A Project. You can get more help here: http://www.openauthentication.org/about