1. Home
  2. Categories
  3. Coding Help
  4. I need to share login between sites without using OAuth. Is there a better solution to this problem?

I need to share login between sites without using OAuth. Is there a better solution to this problem?

  • M

    I am currently making a new web app at my company. That company must use the same login credentials as an existing web app made by a different developer (let's call him Steve). Steve had already created a DLL to share login credentials between different websites: that dll basically calls an internal REST API to see if the username and password are valid.
    In the meantime, my boss was completely unaware that Steve already made a crap Single Sign-On solution and instructed me to develop a custom OAuth solution. Nowadays both the OAuth system and Steve's Single Sign On are in production.
    The new website I am making will use both logins: you can log in using an OAuth user or a Steve SSO user. That's not the problem.
    The real problem is that my boss requested me that when the user clicks a link to my web app from Steve's web app, the user gets automagically logged in in my website without asking the user to enter their username/password again. I can't change Steve's app to use OAuth and I can't access Steve's cookies, since it's a different website altogether. The only way I could think of to solve this problem, which is also the one my boss suggested, is to generate a token which would be sent via POST to my app when the user clicks the link on Steve's site to go to my app. Then my app would validate the token and do all the sign-in magic. But there must be a reason nobody does that, right? I can't help but think doing this would open a giant security hole. My boss doesn't care about security, and I shouldn't care since I am just following orders, but I would love to know why is it wrong to just send magic parameters via POST to do Single Sign On and what should I do instead.

    1 Unperverted Vixen Tsaukpaetra 2 Replies
  • wft

    You state that you cannot change the Steve’s app to use OAuth, but... you could somehow change it so it makes magic mumbo jumbo to log you in on yours?

    What can you do at all in/with Steve’s app?

    (Also, if you imply that some frontend javascript must do the magic, fuggetaboutit, you may just as well pass credentials as cleartext in a GET.)

    5
  • Unperverted Vixen
    And then the murders began.

    @magnusmaster said in I need to share login between sites without using OAuth. Is there a better solution to this problem?:

    The only way I could think of to solve this problem, which is also the one my boss suggested, is to generate a token which would be sent via POST to my app when the user clicks the link on Steve's site to go to my app. Then my app would validate the token and do all the sign-in magic.

    Congratulations: you just reinvented SAML SSO.

    But there must be a reason nobody does that, right?

    Nope. That's actually a pretty common pattern.

    If this is ASP.NET or ASP.NET Core, I'd suggest springing for ComponentSpace's SAML components. They're well worth the money.

    7
  • wft

    Say magnusapp and steveapp have a shared secret. Or better, they have one secret each.

    Steveapp contains a link that’s supposed to open magnusapp. You click it, steveapp generates a string of rabdom shit, signs it with its secret (using an HMAC), and that goes over to magnusapp.

    The magnusapp server takes that payload, verifies its signature, and sends a POST to steveapp to ask what is the meaning of that random shit, signing it with its own sectet. Steveapp validates the request, and when it’s happy, it tells “it’s user X!”. magnusapp then just generates the bearer token and lets user X proceed.

    Of course you may want to harden the communications between steveapp and magnusapp, maybe adding client certificate authorization in between, or something. Once you’re confident no one can impersonate steveapp, you should be good to go.

    But yeah, that means changing steveapp somewhat. Come to think of it, it’s not a huge change.

    4 M 1 Reply
  • M

    @wft Yeah, I will probably do that

    2
  • Rhywden

    You may also want to look into JWT - Json Web Tokens.

    1 wft 1 Reply
  • wft

    @Rhywden ...now you have gajillion problems :)

    3 Rhywden JBert 2 Replies
  • Rhywden

    @wft said in I need to share login between sites without using OAuth. Is there a better solution to this problem?:

    @Rhywden ...now you have gajillion problems :)

    There are enough libraries which can both create and validate the tokens for you.

    1
  • JBert
    Fake News

    @wft said in I need to share login between sites without using OAuth. Is there a better solution to this problem?:

    @Rhywden ...now you have gajillion problems :)

    Well... If you pick SAML instead then you'll also have the "fun" of dealing with XML and namespaces. JWT is slightly simpler than that.

    1
  • Tsaukpaetra
    Notification Spam Recipient

    @magnusmaster said in I need to share login between sites without using OAuth. Is there a better solution to this problem?:

    But there must be a reason nobody does that, right?

    I don't know if "nobody does that" is accurate, unless I'm misunderstanding you.

    In Hypatia, you get a token from the main site that's effectively valid for three other endpoints (that end up passing the token back to the main site for decryption, hush hush). Seems fine enough to me. :mlp_shrug:

    3
Log in to reply