Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Share authentication between two websites

What is the best/proper technique to share login between two sites.

I have website A, and some websites B. Both types belong to the same company, but B is running on the customer premises. What I would like, is that users login in B, and when redirected to A for some reason, they don't need to login again, and they can work with their account in A.

Of course, the company will make logins for each 'B' user. The problem is that the user could initiate the login in A or B.

Would OAuth do? Or OpenID would be more suitable?

Another option is pass a GUID token in the GET string, with a sort time to live and only valid for the IP address of the requester, but it is not sure the user would access the web sites through the same gateway.

Thanks

like image 925
vtortola Avatar asked Jul 21 '11 16:07

vtortola


2 Answers

OAuth is exactly what you need. OpenID offers discovery which is only useful when the user gets to choose who to authenticate with (not your use case). Also, OpenID is much more complicated and is a dying protocol.

In your scenario, Server A is the OAuth server (or authorization server in OAuth 2.0) and Server B is the client. There are many ways to implement this, but I would suggest you start by looking (and trying) how Facebook OAuth 2.0 implementation works. It will give you a good idea of what is involved and some of their extension (e.g. display) which make it more user-friendly.

like image 188
Eran Hammer Avatar answered Nov 09 '22 09:11

Eran Hammer


You are talking about single sign-on. Does the company who owns Website A provide remote sign-on in their api?

You need to make sure that the log-on information is encrypted when it is passed to website A. The last single sign-on I built required me to pass the user's AD name encrytped via RSA and hashed with MD5. The third party had a database of the user's AD name and their password to the third party site. When the user clicked a link, their encrypted information was sent to the log-on api of the third party and the third party redirected them to the welcome page with the log on process complete.

If you are building a single sign-on API yourself, as in you have control over website A, OAuth is a respectable choice. It is fairly easy to impliment.

like image 40
Ryan Bennett Avatar answered Nov 09 '22 09:11

Ryan Bennett