2

I am trying to do a login like Google does, which includes a cross-domain-authentication. When loggin into google.com you are automaticly logged in for different domains like youtube.com. For me it looks like:

  • you enter credentials at accounts.google.com
  • Google sends a request via AJAX to check them
  • if they are correct, it 1. sets a cookie and 2. does requests to the other domains like youtube and sends some identifiers (SID or token?) and sets the cookies for those domains as well
  • after all other domains also have the cookie in place Google redirects you back where you came from

I was researching a lot and it seems like easyXDM (http://easyxdm.net/wp/) is a good solution for this (do you think it is?). But I am not sure how to do the cross-domain-authentication. When the user logs in correctly, should i just do requests to the other domains and pass the SID and create cookie on the domains? Or is it not secure? Or should I create a token for the user after loggin in and store it in my DB. Then send the token with to all the domains to authenticate him and then delete the token?

Some other stuff i found was a solution via iframes in iframes.. also Googles analytics.js (https://developers.google.com/analytics/devguides/collection/analyticsjs/cross-domain) looked exciting... but i saw it's even integreated in easyXDM.

I hope some if you guys are having experience with that stuff. I am curious to read what you think :) gerti

gerti
  • 195
  • 2
  • 9

1 Answers1

1

What you want is OAuth2 (this is the protocol you're referring to -- what Google login does).

If you're looking for a simple solution, you might want to try using something like Stormpath + IDsite. It's a free API service you can sign up for / use.

Basically, they'll host a domain for you where you redirect your users when you want them to create an account or log in. They'll then handle all the authentication / authorization (across domains), and send you back an authenticated user with a JSON web token (JWT).

Stormpath has a bunch of libraries for a variety of programming languages, you can get started here: https://docs.stormpath.com/home/

The other solutions people typically go with require quite a bit of time / effort to get running. I've actually helped build quite a few of the Stormpath libraries (in Node / Python), so I'm pretty familiar with it -- you really can't beat it in terms of simplicity.

rdegges
  • 32,786
  • 20
  • 85
  • 109
  • Thank you, I will take a look at Stormpath. But about OAuth.. I also thought it would be a good solution. But it seems like it's more for third-party-authorization. And you need to confirm the authorization for every single domain when you visit it for the first time. Am I wrong here? – gerti Jun 14 '15 at 10:39
  • This is correct -- if you want truly 'single sign on' you'll need to implement SAML -- but this is typically WAY more complex than what most people need. You can 'fool 'users into thinking they have SSO by implementing a smooth OAuth2 flow with token auth =) – rdegges Jun 14 '15 at 19:44