External authentication for web application
The number of web applications is growing every day and each of them includes user management / authentication / authorization. Increasingly, a user's web site is a collection of integrated web applications, and not just one cms. The question arises - how in such cases the question is solved with a single user authentication between these applications?
The question arose not by chance. Now I am working on product requirements (web application) and I understand that external authentication is a must have for a product. Are there any standard options for such authentication?
The first thing that comes to mind: OpenID. Ok, we write in requirements - support of OpenID. But not all applications and websites polls use OpenID authentication.
The second thing that comes to mind is to implement support for authentication on the side of another application, something like this:
')
First, we will write out all the case codes that are somehow related to authentication:
1. Go to the user application that is authenticated in another application
2. Login
3. Logout
4. Register
5. Remember password / reset password
6. Profile password change
1. "Go to the user application that is authenticated in another application." To automatically authenticate such a user, the external application must pass the username and authentication token, with the auth token being the most interesting part. This token must be username-specific, external application instance, my application instance (i.e. not fit to the other pair external app instancem, my app instance). The mechanism for generating / testing such a token can be made on the basis of public-key cryptography. Another option: my application instance can make an http request to the external app to verify this token, but this method is more resource-intensive.
2. Login - my application instance should redirect (or immediately post with login / password) to the external app side, transferring the external app in addition to everything else ReturnURL - URL for return / redirect in case of successful authentication
3. Logout - similar to login, only parameters are less
4. Register - similar to login
5. Remember password - similar to login
6. Profile password change - I think it makes sense to block this functionality in my app and give a link to the change profile in an external application
All this is of course great, but it smells strongly of the invention of the bicycle. Maybe habrovchan there are examples of reference implementations to solve problems with external authentication for web applications?
The question arose not by chance. Now I am working on product requirements (web application) and I understand that external authentication is a must have for a product. Are there any standard options for such authentication?
The first thing that comes to mind: OpenID. Ok, we write in requirements - support of OpenID. But not all applications and websites polls use OpenID authentication.
The second thing that comes to mind is to implement support for authentication on the side of another application, something like this:
')
First, we will write out all the case codes that are somehow related to authentication:
1. Go to the user application that is authenticated in another application
2. Login
3. Logout
4. Register
5. Remember password / reset password
6. Profile password change
1. "Go to the user application that is authenticated in another application." To automatically authenticate such a user, the external application must pass the username and authentication token, with the auth token being the most interesting part. This token must be username-specific, external application instance, my application instance (i.e. not fit to the other pair external app instancem, my app instance). The mechanism for generating / testing such a token can be made on the basis of public-key cryptography. Another option: my application instance can make an http request to the external app to verify this token, but this method is more resource-intensive.
2. Login - my application instance should redirect (or immediately post with login / password) to the external app side, transferring the external app in addition to everything else ReturnURL - URL for return / redirect in case of successful authentication
3. Logout - similar to login, only parameters are less
4. Register - similar to login
5. Remember password - similar to login
6. Profile password change - I think it makes sense to block this functionality in my app and give a link to the change profile in an external application
All this is of course great, but it smells strongly of the invention of the bicycle. Maybe habrovchan there are examples of reference implementations to solve problems with external authentication for web applications?
Source: https://habr.com/ru/post/30782/
All Articles