1

I'm developing an API which uses oauth2 for authenticating users. The requirement is to develop a single sign on system for 3 different web applications. Lets take this scenario:

  • A user logs in to one of the application (lets say application1).
  • application1 receives a token and a refresh token. A refresh token is saved in secure session.
  • User goes to second application say application2. But the refresh token can not be used for application2 as it was created for application1.

What is the best way to generate a token for second application without user needing to log in?

Any suggestion would be great. Am I taking a right approach? I use symfony2 (FriendsOfSymfony/FOSOAuthServerBundle)

Webghost
  • 933
  • 2
  • 7
  • 18
  • OAuth2 is designed for authorization, but not authentication. For the latter there's OpenId Connect as an extension to OAuth2, I guess that's more what you want. See http://openid.net/connect/ . – Zólyomi István Jan 08 '15 at 14:36

1 Answers1

0

If your Authorization Server keeps an SSO session, your users would not have to login again when tokens for application2 are issued. Of course users will need to give consent to the scopes that application2 is requesting because it is a different application (or "client" in OAuth 2.0 terminology) that has nothing to do with application1 and needs its own tokens and permissions.

If you want to treat the two applications as a single entity because they are controlled by the same entity and/or it is all the same to you, you could have them use the same client_id and client_secret and register 2 redirect_uri's for this (single) client.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • Thanks for the answer Hans Z. How would you go about giving consent to the scopes that application 2 is requesting and providing it new tokens? Same client_id is interesting. I will mind storm about it right now with myself. – Webghost Jan 07 '15 at 16:15