Search code examples
fusionauth

Is this SSO scenario possible with FusionAuth?

  1. I go to my application and check if there is JWT cookie
  2. If it is there, I parse it and start to verify if user have access to my application
  3. If it is not there, I will redirect user to authenticate in FusionAuth
  4. After successful login, user will be redirected back to my application

How do I specify in step 3 fusionauth id of my application?

And how do I specify that I want to redirect to my application after successful login?

I assume that fusionauth is running on fusionauth.mydomain.com and application on myapp.mydomain.com and JWT cookie will be issued in mydomain.com, so it will be visible for both.

Solution

  • Yes, this is possible.

    In step 3, you will redirect the browser to the FusionAuth login page. Navigate to Settings --> Applications in the FusionAuth UI and click on the green view button for the application in questio.

    This will bring up a dialog which will show integration information (if you're on a recent version of FusionAuth).

    You'll see a link something like this:

    OAuth IdP login URL: https://fusionauth.mydomain.com/oauth2/authorize?client_id=ee31103f-2fc1-4bb5-ba95-ac543693503e&response_type=code&redirect_uri={your URI here}

    The client_id parameter in this case will identify your application to FusionAuth.

    And how do I specify that I want to redirect to my application after successful login?

    This is configured in FusionAuth as an authorized redirect, and then you specify this same URL when redirecting to FusionAuth to login. Notice the redirect_uri parameter in the example URL above. There is a screenshot of this configuration here: https://fusionauth.io/docs/v1/tech/oauth/overview

    I assume that fusionauth is running on fusionauth.mydomain.com and application on myapp.mydomain.com and JWT cookie will be issued in mydomain.com, so it will be visible for both.

    FusionAuth does not currently drop cross domain cookies. If you are running FusionAuth at fusionauth.mydomain.com the Cookie will have that same domain and not be visible to myapp.mydomain.com.

    If you want to leverage FusionAuth, then you do not need to inspect the cookie on myapp.mydomain.com, you'll simply redirect the user if they are not logged in and then if the user already has a SSO session on FusionAuth, they will be seamlessly redirected back to your application.

    You can review our login workflows to identify the one that fits your requirements the best and then follow the recommended workflow. https://fusionauth.io/articles/logins/types-of-logins-authentication-workflows