Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JWT token for multiple websites

How can I have a single JWT token be shared among multiple websites. I assume that the first thing would be to have the same secret on all websites.

If user logs in on site A and a token is generated I want to use the same token for website B on a totally diferent domain.

Can it be done?

like image 789
Cristian Avatar asked Feb 16 '16 04:02

Cristian


People also ask

Can JWT be used for SSO?

If you use single sign-on with JSON Web Token (JWT), a user is automatically verified with the identity provider when they sign in. The user is then allowed to access Zendesk without being prompted to enter separate sign-in credentials. As a Zendesk admin, your role consists of enabling the SSO options.

Can I pass JWT token in URL?

Use authorization headers for your JWT bearer tokens. Note: JWT is simply a standardized way of sending information between parties, and it is possible that you could safely send a JWT via a URL in other scenarios (e.g. single-use tokens), but it is not something we recommend in the context of Auth0.

Can we share JWT token?

JSON Web Tokens (JWT) is a JSON-encoded representation of a claim or claims that can be transferred between two parties. Though it's a very popular technology, JWT authentication comes with its share of controversy. Some say you should never use it.

When should I use JWT token?

JWT can be used as an access token to prevent unwanted access to a protected resource. They're often used as Bearer tokens, which the API will decode and validate before sending a response.


1 Answers

What you want can be done, but not with a single JWT token. A JWT token is intended for a certain service or application indicated by the audience (aud) claim. You cannot use the same token for another application or service.

What typically happens to make your SSO scenario work, it that the user logs in to the token issuing (authorization) server. As long as that session is valid, the user can acquire tokens for all applications the server can issue tokens for.

So, when the user logs in to the first application, the authorization server sets a cookie to establish a session. When the user navigates to the second application, the application redirects him/her to the authorization server for authentication. The authorization detects the session cookie and does not prompt to user to log in again, but issues a new JWT token for the second application.

like image 65
MvdD Avatar answered Oct 03 '22 07:10

MvdD