Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Share authentication between two websites

Tags:

authentication

cookies

oauth

openid

dotnetopenauth

What is the best/proper technique to share login between two sites.

I have website A, and some websites B. Both types belong to the same company, but B is running on the customer premises. What I would like, is that users login in B, and when redirected to A for some reason, they don't need to login again, and they can work with their account in A.

Of course, the company will make logins for each 'B' user. The problem is that the user could initiate the login in A or B.

Would OAuth do? Or OpenID would be more suitable?

Another option is pass a GUID token in the GET string, with a sort time to live and only valid for the IP address of the requester, but it is not sure the user would access the web sites through the same gateway.

Thanks

like image 925
vtortola Avatar asked Jul 21 '11 16:07

vtortola

2 Answers

OAuth is exactly what you need. OpenID offers discovery which is only useful when the user gets to choose who to authenticate with (not your use case). Also, OpenID is much more complicated and is a dying protocol.

In your scenario, Server A is the OAuth server (or authorization server in OAuth 2.0) and Server B is the client. There are many ways to implement this, but I would suggest you start by looking (and trying) how Facebook OAuth 2.0 implementation works. It will give you a good idea of what is involved and some of their extension (e.g. display) which make it more user-friendly.

like image 188
Eran Hammer Avatar answered Nov 09 '22 09:11

Eran Hammer

You are talking about single sign-on. Does the company who owns Website A provide remote sign-on in their api?

You need to make sure that the log-on information is encrypted when it is passed to website A. The last single sign-on I built required me to pass the user's AD name encrytped via RSA and hashed with MD5. The third party had a database of the user's AD name and their password to the third party site. When the user clicked a link, their encrypted information was sent to the log-on api of the third party and the third party redirected them to the welcome page with the log on process complete.

If you are building a single sign-on API yourself, as in you have control over website A, OAuth is a respectable choice. It is fairly easy to impliment.

like image 40
Ryan Bennett Avatar answered Nov 09 '22 09:11

Ryan Bennett
Sign in to Comment

Related questions

best gem for login system [closed]
ASP.NET MVC solution for OpenID + OAuth + trivial authentication
can't authenticate with Facebook
How to verify Android id token on App Engine backend
Auth between a website and self-owned API
Can i use Jasig CAS server for android mobile applications?
Token based authentication using Play 2 Framework
What is the role of app key and secret key in every SDK
Making a logged in user-variable in AngularJS+laravel
DMARC/SPF/DKIM not authenticating with third-party mail
Using Ansible on windows with domain user
Steam authentication with Angular
How-To get details of 401 Unauthorized from ASP.NET Core 2.1 API
Microsoft graph return "access token is empty"
React keycloak TypeError: kc.updateToken(...).success is not a function
What is OpenID "Automatic Login"?
Authenticated HttpWebRequest with redirection, persisting credentials?
Built-in password authentication dialog in Cocoa?
How can I log into a website using python?
Spring SecurityContext returning null authentication on error pages

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!