I have two web apps. They already use Oauth bearer token, OWIN and asp.net identity. I just need to implement SSO. More specifically, I need the user to automatically be signed in to one site if they already signed in on the other.
The back end is c#, front end is Angular.
Is this something that can be done without third party SSO providers?
I looked into authO and other providers, but I don't need the identity and the authentication part. Just the authorization piece.
There are a couple of patterns to be aware of here.
COOKIE SHARING
A reverse proxy, eg NGINX, enables you to develop multiple apps independently, then compose them at different paths under the same web domain at deployment time. This is cookie sharing and not SSO.
- https://www.example.com/marketing
- https://www.example.com/finance
One option to enable this without conflicts between apps is to issue cookies via a utility API.
SINGLE SIGN ON
The above example is not a good security design though. A cookie for the (low security) marketing app should not be usable against (higher security) backend endpoints for areas like finance.
SSO is a more secure option in this example. Certain users might be able to use both apps, which run in different web domains. For SSO to work the prerequisite is that both apps must implement login via the same external system. In OAuth 2.0 this is the authorization server (AS).
- https://www.marketingapp.com
- https://www.financeapp.com
The big things this enables are separated API credentials and separated cross site scripting risks. If a malicious party hacks the marketing app, they cannot access finance data. Meanwhile the AS manages the cookie sharing that enables SSO.
SUMMARY
Both of these are viable techniques. Choose the first option when you have 2 micro frontends for the same business area. Choose the second option when crossing business areas with different data sensitivity.