We just have been discussing the login and logout behaviour when using OAuth 2. Let's say we have two webapps A
and B
using one OAuth provider O
(built using the spring-security-oauth2 stack).
When you want to login to A
you get redirected to O
, enter your credentials, get a session there on O
, redirected back to A
with an access token and a session is created on A
as well.
Now when you want to login to B
you get redirected to O
, get directly sent back with a token to B because you still have a valid sesison on O
and a session is created on B
as well (without having to enter your credentials again).
This solves our single sign on problem.
A requirement now is, that when logging out from A
or B
you are logged out always from both/all apps (single sign off).
Our idea is:
A
or B
want to logout a user, they redirect him to the logout page of O
O
, all access tokens belonging to the current session on O
are removed and the user gets redirected back to A
or B
A
or B
gets destroyedA
and B
check for the validity of their OAuth access token on each request and destroy their session if the token is not valid any moreDo you think this is a valid use case for OAuth 2? How you would you implement single sign off differently?
OAuth (Open Authorization) is an open standard for token-based authentication and authorization which is used to provide single sign-on (SSO). OAuth allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password.
To Start, OAuth is not the same thing as Single Sign On (SSO). While they have some similarities — they are very different. OAuth is an authorization protocol. SSO is a high-level term used to describe a scenario in which a user uses the same credentials to access multiple domains.
OAuth 2.0 is not an authentication protocol. Much of the confusion comes from the fact that OAuth is used inside of authentication protocols, and developers will see the OAuth components and interact with the OAuth flow and assume that by simply using OAuth, they can accomplish user authentication.
OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.
The reason there is no categorical answer to this question is that it all depends on your preference for the user experience, and on the extent to which you trust and/or have control of the apps and servers.
I think there are several ways you might do it and your proposal is definitely workable. I would criticise it only because a) you are using an OAuth token as a session token, and they aren't really the same thing, and b) the "check for the validity of their OAuth access token on each request" part is a bit vague, and I suspect the UX might suffer.
In general it is not always desirable to have single sign-off from a system of OAuth2 client apps - the users might believe that they are logged into separate systems, which happen to authenticate conveniently for them, and not actually want a single sign off experience (e.g. if I log out of one facebook user-provided app, I don't expect to be logged out of my timeline).
If you do need a single sign off and all your apps are in the same domain you can have them share a session cookie scoped to the domain they share. This is dangerous if other apps share the same domain and might not want to participate in the single-sign-on/off behaviour, or if you might not trust them to keep the cookies secret.
With Spring Session you can be more sophisticated and share a session token only among apps that you trust (since you provide only them with access to the session store). That would probably be quite efficient, and I might do it that way in your position, if I had control of all the moving pieces.
It might help to look at the OpenID Connect Session Management Spec to see if there are any ideas there. There is definitely the concept of an identity token (distinct from the access token). I think they suggest doing the validation checks in the browser with scripts in an iframe, which seems awfully ugly, but maybe there really isn't a better way. If you like that idea then you could maybe do the same thing with normal session cookies (no need for the full blown OIDC probably).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With