There are a lot of similar questions asked, though I didn't really find a good answer. Here is the scenario.
Given:
Three websites with different domain names (not just different subdomains):
- Site 1: Domain: CrossDomainServer.com - I have full control over this website. Server side technology - asp.net-mvc
- Site 2: Domain: CrossDomainClient.com - I can only ask their admin to put some javascript/html on their page.
- Site 3: Domain: CrossDomainEvil.com - A website that does not have permissions to use services provided by CrossDomainServer.com
Goals:
- When CrossDomainClient.com loads their page with the javascript provided by CrossDomainServer.com, there needs to be a check whether CrossDomainClient.com is allowed to use services. If it does, display these services, if it does not - display a login form.
- Once logged in, this site should not be asked to login again when they reload the page.
- Once logged in CrossDomainClient.com should be able to GET and POST data to CrossDomainServer.com via ajax.
- Noah gives a good article reference to solve this requirement.
- Also here is a good answer on how to implement this in asp.net-mvc.
- If CrossDomainEvil.com places the same script on their page, they should not be allowed to use services when user is authorized on CrossDomainClient.com - they should see a login form.
It seems that SSO is not what I'm looking for since it allows single point of entry into multipple systems.
It would be best if someone could point me to the article "for dummies" on how to achieve that since I really don't even know where to begin.
Any help is appreciated.
