N
N
Nik Gubin2016-08-15 12:37:35
PHP
Nik Gubin, 2016-08-15 12:37:35

And how do you implement cross-domain authorization?

Good afternoon friends. An interesting task for me appeared, in which I have no experience yet. I want to say right away that the question does not carry a request to write code for me, but is purely debatable, so that you confirm my thoughts or correct errors in them.
Task:
There is an authorization server with user accounts stored on it, with access rights and much more. There are microservices in which authorization is needed to access the rights (actually, the rights for this microservice) and data. If we enter on one of the services, we must log in to each of the others (I will describe the nuance later). Likewise when exiting. (Physically, all microservices can be located on different servers, work on different versions of libraries, work with different databases (or not use it at all))
What are my thoughts:
Carry out authorization on the side of the authorization server (let it be like google - accounts.example.com), after the redirect we will return to the service we need. Attach an iframe to the html with an external link to check / renew the session (and if there is no session, then the js inside the iframe will send us to the authorization server).
The nuance of automatic authorization:
You must click on the button, the user will be transferred to the authorization server, and from there back.
I peeped all these things from google, because I still don’t know many things. For example:
- How to implement saving the session on the side of the microservice after a redirect so that the data is not compromised? (encrypt?)
- How to store the session on the microservice side? (I think the old fashioned way, in session)
I would be grateful for any theory. But let's remember that this is a discussion, no hate please)

Answer the question

In order to leave comments, you need to log in

2 answer(s)
N
Nikolai Korabelnikov, 2016-08-25
@gubin_niko

You practically described the SAML protocol. What you call an authorization server is an Identity Provider (IdP) in SAML terminology. Other services are Service Providers (SP).
When you try to log in to one of the SPs, you will be redirected to the IdP to check if you are already authenticated or not. If so, then a reverse redirect to the SP immediately occurs with signed data about your authenticated session. If you have not been authenticated, then the IdP will first check your credentials (login password, OTP, or whatever you configure), and then also redirect the browser to the SP with signed information about the user and the status of his session.
The SAML protocol implements single logout.

O
OnYourLips, 2016-08-15
@OnYourLips

This method is called OAuth, there are many ready-made libraries and plugins for it.
So there is no need to invent anything.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question