Answer the question
In order to leave comments, you need to log in
Is everything correct in this authorization process?
Hello. Briefly, the situation is as follows: there is an application that stores information about users and their access rights for various projects (web applications). The actual process of user authorization on these services involves the following steps:
1. The user accesses the service.
2. Redirected to the central application for authorization.
3. Enters login and password.
4. The central application creates a JWT token, which contains the user's access level for a specific project (I'm guessing, bound by IP, or something similar).
5. The application redirects the user back to this service along with the token.
6. The token is validated and placed in cookies for the user. On subsequent requests to the service, authorization occurs by the token stored in cookies until its validity period expires.
Actually, I have a question about the fifth point, namely how to redirect a user with a token to the service. It is assumed that in the future some information about the user can be placed in the token, therefore (and not only) passing the token in the query string confuses me (maybe I'm wrong). In this regard, it comes to mind to submit a certain form (POST) with the transfer of a token in the request body, but through a redirect I don’t really know how to do this.
So, it turns out that after a successful login, I need to render a form (invisible to the user), which is automatically sent to the client via JS (well, leave a spare link if the latter is turned off). For some reason it all seems like a bicycle to me. That's exactly why I'm asking.
Thank you.
Answer the question
In order to leave comments, you need to log in
What about OAuth2 authorization? Didn't think? A well-documented protocol that all known services use and no questions asked. It just solves your issue. I redirected to the central application, logged in, returned back with the code, and then requested a token using the POST code. Where should I save it.
In any case, you should have all the necessary information in the token. For example, in the form of a token ID using the OpenId Connect protocol. After authentication, the user is redirected to a specific endpoint on which you create a session for this user and with which he then quietly walks through your resource
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question