Geek Answers Handbook

Sharing Authentication Between Two

What is the best / right way to share login between two sites.

I have website A and some websites B. Both types belong to the same company, but B works in the client’s premises. I would like users to log into system B, and for some reason redirected to A, they do not need to log in again, and they can work with their account in A.

Of course, the company will make logins for each user "B". The problem is that the user could initiate a login in or B.

Will OAuth do? Or will OpenID be more appropriate?

Another option is to pass the GUID token in the GET string with the sort time to live and is valid only for the requestor's IP address, but he is not sure that the user will access websites through the same gateway.

thanks

+4
source share
2 answers

OAuth is exactly what you need. OpenID offers discovery, which is only useful when the user chooses who should authenticate (and not your use case). In addition, OpenID is much more complex and is a flexible protocol.

In your scenario, server A is the OAuth server (or the authorization server in OAuth 2.0), and server B is the client. There are many ways to implement this, but I suggest you start by looking for (and trying) the implementation of Facebook OAuth 2.0. This will give you a good idea of ​​what is involved and some of their extensions (like display) that make it more convenient.

+8
source

You are talking about single sign-on. Does the company that owns website A provide remote login to their api?

You need to make sure that the login information is encrypted when it is sent to website A. The last single login I built required me to pass in the AD username encrypted through RSA and hashed it with MD5. The third party had an AD username database and their password on a third-party site. When the user clicked the link, their encrypted information was sent to the third-party log-in, and the third party redirected them to the welcome page with the completion of the registration process.

If you are building a single sign-in API yourself, since you have control over Site A, OAuth is a respectable choice. It is quite easy to put into action.

+2
source

More articles:


All Articles