Single Sign-on (SSO)

[Mangatt]

After heavy research, I'm still not sure what is the best way to implement Single Sign-on (SSO) with feathers.

Scenario:

• user logins at login.feathersjs.com, JWT is issued
• user can automatically login at app1.feathersjs.com or app2.feathersjs.com (possibly at otherdomain.com)
• after logout, all JWTs are invalidated

There are few possible solutions, but none of them feels right:

• turn on cookies - CSRF threat, not applicable for otherdomain.com
• use window.postMessage - not working at Safari 7+
• use redirects (app1 does not have JWT, redirects to login, JWT is sent back) - no logout, possible security concern

Any thoughts?

[marshallswain]

Do you control all of the domains & servers?

[Mangatt]

Yes.

[Mangatt]

I've stumbled upon option of running my own OAuth server for local auth, but that seems quite complicated. This is not that uncommon scenario, aren't there any simpler solutions?

[marshallswain]

I'm not certain what your exact requirements are, but maybe this gist will help with cross domain auth: https://gist.github.com/marshallswain/3c9e5b3b177b977468b5b711b6254f67

[ekryski]

Somewhat related to #469 and #548

[Dahkenangnon]

What ?

I'm facing the same problem but with some difference:

And ?

I have a feathers js app and and others express-node js app.
Now i want to have a sso authentication system for all these system.

Architecture 👩‍💻 ?

Apps are like:

app1.domain.com
app2.domain.com
app3.domain.com
feathers.domain.com
I'm on a vps.

Need your help please !

Do you have some suggestion or recommandation for me please ?
Can i use the Oauth of feathers ?
Because there are a miss of feathers and node js app, is this(sso) possible ?

Thank very for time you spend to respond to this.

[marshallswain]

I'm doing single sign on in a couple of apps. I can only recommend using the feathers-Auth0 adapter and turning most of the work over to Auth0 for this situation. It has been really refreshing to be able to focus on my apps instead of constantly revisiting auth.