John Davidson

php - Creating a Login-in-as from a seperate server

0 comments
Message:


The Background


I have a Laravel system with a standard login system, hashes, username etc..
I also have multiple servers. My own server as the Web developer, and client servers that host client sites. Some clients have multiple sites.


Thr problem


I have a scenario where I would like to have the Main website (The developer site) where clients can login.


Once they login into the portal, they will see a list of websites that are 'owned' by that client.


I would then display a 'Login' button so once they click the button, it would authenticate them into the remote site and redirect them to it. (ya ya single login).


Generally speaking this is all possible and easy enough especially when the sites are on the same server as I can access both DB.


However in this new scenario, the main site is on a separate server.


I have considered 2 options


Option 1


Setting a cookie in the browser from the main Site with certain info that the client site would read.
then redirecting them to the secondary site which would check for that cookie then authenticate.


Option 2


User logs into the main site, selects 'login', which sends a curl-request with api info to the secondary site, in which the secondary site would then somehow authenticate.


If anyone has any ideas, simpler the better as long as it does compromise security, or suggestions would be most helpful



My Answer:
One possible solution could be to use JSON Web Tokens (JWT) for authentication between the main site and the client sites.

Here's how it could work:

1. When a user logs into the main site, generate a JWT token containing the user's information (such as their username, user ID, etc.) and sign it with a secret key that is shared between the main site and the client sites.

2. When the user clicks the 'Login' button for a specific client site, send a request to the client site with the JWT token in the request headers.

3. On the client site, verify the JWT token using the shared secret key. If the token is valid, extract the user's information from the token and use it to authenticate the user on the client site.

This way, you can securely authenticate users between the main site and the client sites without compromising security. Additionally, JWT tokens are easy to generate and verify, making this solution relatively simple to implement.

Rate this post

3 of 5 based on 7328 votes

Comments




© 2024 Hayatsk.info - Personal Blogs Platform. All Rights Reserved.
Create blog  |  Privacy Policy  |  Terms & Conditions  |  Contact Us