I have two web applications (prototype) hosted in two subdomains, for example:
1) CMS (made in PHP) at cms.mydomain.com.
2) SPA-Singe web application (made in JavaScript ) at spa.mydomain.com.
Case with my user:
The user can access the CMS application and authenticate with Username and Password.
After successful authentication, the web page with some elements is presented in the CMS application.
The user can select an item and open the SPA application in a new window.
Currently, after authentication is completed in the CMS application, a Media Sign is created , we pass TOKEN to the SPA application as a query string for User authentication.
The SPA JavaScript application retrieves the query string and other additional parameters and makes an API call to work.
Notes:
- We use HTTPS for both applications.
- The SPA application can only be accessed after authentication in the CMS.
- The SPA application that receives the token is located in the .HTML file, and API calls are only made using JS.
- The carrier mark has a validity period of 14 days.
- The token gives full access to the SPA application.
- Token can be transferred from CMD to SPA, using also JS.
- Tokens are generated by the third api.mysite.com application.
, TOKEN , :
:
.