I am working on creating an sso solution using oidc-provider and oidc-client-ts using authorization code flow with pkce. I have the core configuration items in place and can go through the flow up to getting the response with the access_token and id_token. I am working on implementing the httpOnly cookie scenario but am confused on how the sso would be achieved if I have two apps on the same subdomain and a third app that is completely external to the domain.
How would the httpOnly cookie carry over to subsequent apps after the initial log in and if it would not what strategy would I need to make this happen?
How would the oidc-provider know this user is already logged in once the request is made to the other applications?
There are multiple components here and two different types of cookies.
BROWSER FRONTEND
The oidc-client-ts
library is for running a flow solely in JavaScript and using access tokens in the browser.
If you want the browser app to send cookies to your backend components you need to use a Backend for Frontend (BFF) instead.
BFF
This is either a web backend or a utility API which issues application cookies for the browser based app. It must run in the same parent domain as the web origin so that cookies sent are first-party and not dropped by the browser.
An SPA at https://www.product.com
might use these cookie properties:
OIDC PROVIDER
This issues a different cookie, the SSO cookie, which is usually third-party to your apps.
When app1 runs a code flow and the user authenticates, the SSO cookie is issued. When app2 runs a code flow, the SSO cookie can be used to authenticate the user automatically. There does not need to be a same domain relationship between app1, app2 and the oidc provider.
A provider at https://login.example.com
would use these properties to indicate that the cookie should be used across multiple sites:
During top level navigations like OIDC authentication requests, the browser allows SSO cookies to be sent, even though they are third-party. In other cases third-party cookies are dropped aggressively. You can read more about the latest cookie behaviours in the RFC6265bis specification.
The SSO cookie, once decrypted, typically contains an ID that links to a database row, eg in a sessions
table. Each app that the user signs into might be a row in another table, eg called delegations
. In this manner the OIDC provider can process requests from cookies.