I am implementing a web application with client and server running on different domains.
I have implemented google based authentication using spring security on server side.
Now, when client calls for login API, server redirects it to google page for authentication. After authentication done, server needs to send access_token to client.
As client is sitting on different domain, I am not able to pass access_token in header or cookie using response.sendRedirect(baseUrl)
Is there any other way to handle token based authentication in such situation.
While scanning through various options I came across two solutions:
Link shows how to set cookie from one page to another http://subinsb.com/set-same-cookie-on-different-domains
After authenticating successfully on server side it redirects temporarily to a local screen which internally will call client as explained in the above link.
Other way is -
To make login request, client will popup a separate window and pass a secure_id along with request. Also, client stores this secure_id temporarily.
Once server completes authentication, it redirects to client page notifying client to close popup window.
Once popup window is closed, client can request for Access token from server using secure_id which it had stored.