Single sign off using OAuth 2 -
we have been discussing login , logout behaviour when using oauth 2. let's have 2 webapps a , b using 1 oauth provider o (built using spring-security-oauth2 stack).
when want login a redirected o, come in credentials, session there on o, redirected a access token , session created on a well.
now when want login b redirected o, straight sent token b because still have valid sesison on o , session created on b (without having come in credentials again).
this solves our single sign on problem.
a requirement is, when logging out a or b logged out both/all apps (single sign off).
our thought is:
enhance access token current session id if appsa or b want logout user, redirect him logout page of o if user gets logged out o, access tokens belonging current session on o removed , user gets redirected a or b the session on a or b gets destroyed a , b check validity of oauth access token on each request , destroy session if token not valid more do think valid utilize case oauth 2? how implement single sign off differently?
the reason there no categorical reply question depends on preference user experience, , on extent trust and/or have command of apps , servers.
i think there several ways might , proposal workable. criticise because a) using oauth token session token, , aren't same thing, , b) "check validity of oauth access token on each request" part bit vague, , suspect ux might suffer.
in general not desirable have single sign-off scheme of oauth2 client apps - users might believe logged separate systems, happen authenticate conveniently them, , not want single sign off experience (e.g. if log out of 1 facebook user-provided app, don't expect logged out of timeline).
if do need single sign off , apps in same domain can have them share session cookie scoped domain share. unsafe if other apps share same domain , might not want participate in single-sign-on/off behaviour, or if might not trust them maintain cookies secret.
with spring session can more sophisticated , share session token among apps trust (since provide them access session store). quite efficient, , might way in position, if had command of moving pieces.
it might help @ openid connect session management spec see if there ideas there. there concept of identity token (distinct access token). think suggest doing validation checks in browser scripts in iframe, seems awfully ugly, maybe there isn't improve way. if thought maybe same thing normal session cookies (no need total blown oidc probably).
oauth oauth-2.0 logout spring-security-oauth2
No comments:
Post a Comment