I've developed a single sign on strategy with login/logout/refresh on multiple domains with JWT Tokens. The SSO is managed via postMessage iframes as described here: Single sign-on flow using JWT for cross domain authentication
The problem I have is when the user has Third Party Cookies disabled in his browser.
Then there the postMessage technique with iframes do not work anymore:
- When passing a message top-down (setting the cookie inside the iframe), it fails
- When passing a message bottom-up (reading the cookie inside the iframe), it also fails
I therefore have to develop a fallback workflow for all users with disabled Third Party Cookies.
It works the following way:
- User logs in an the auth server
- A cookie isset at the auth server
- User gets redirected back to pageA and another cookie (with the same content) isset there
- User visits pageB and wants to login there
- User gets redirected to the auth server. The cookie is recognized and user gets redirected back to pageB and another cookie (with again the same content) isset
- All 3 cookies are now "in sync"
- The problem now arises, when user refreshes his token on pageB. then he cannot refresh it again on pageA and he has to login again on page A
- Because the TTL of the access token is very short, this is a very bad experience
My conclusion to this: If a user has disabled Third Party Cookies, drop the whole SSO. The user simply has to login on every page.
Am I right or is there something I am missing?
