1

This is more of a design question.

We have web application "webapp" written in Java&Spring which is used by people within our org as well as by people outside. When the user tries to login to the application, it tries to find the user in the local database. If there was a password (encrypted) it will authenticate against that, if password column was empty it will talk to LDAP and authenticate the user. Now we have a new mobile app "mobileapp" that has a link to the "webapp". We are thinking of implementing SSO here so that the mobile app user doesnt have to login again when they click this link. We also think that there will be few more services and applications in the future that have to work closely on same authentication/authorization platform. Couple of things we thought we can do -

  1. Remove authentication and authorization code from "webapp" and make that a separate service -AA service
  2. Let AA service generate OAuth tokens and let any client app including webapp use the "Login with AA Service" button to login.

Does this sound like a good solution? Is there a better way to handle this problem? Are there such solutions already built in Java/Spring/Oauth/OpenID connect/JWT etc?

Robby
  • 371
  • 2
  • 3
  • 15

1 Answers1

2

For me, you have three main use cases to consider:

  • login web flow
  • web service call (from another website)
  • mobile app authentication flow (and the question is: do you want to embed or not the login page / flow ?)

I see two main solutions:

1) Using the CAS protocol, a) the login web flow is trivial, b) the web service calls are made via CAS proxy support (more complicated) and c) the mobile app authentication flow (posting credentials directly to the server) can be achieved with the REST API support.

2) Using the OAuth / OpenID Connect protocols, a) the login web flow is supported via the authorization code flow protocol, b) the web services calls are made via HTTP requests using the ID token retrieved previously and c) the mobile app authentication flow can be done using the OAuth resource owner password grant flow if the credentials are received by the mobile app or via the implicit flow if the mobile has called a login page in an embedded web browser.

See: What OpenID Connect authorization flow to authenticate mobile app users? and http://connect2id.com/learn/openid-connect

Disclaimer: I'm a CAS committer and the creator of the pac4j security library (www.pac4j.org)

Community
  • 1
  • 1
jleleu
  • 2,309
  • 1
  • 13
  • 9