10

I'm trying to create a simple SSO system in PHP for two domains which are thematically connected.

So I was wondering if it is possible to store a signed JWT token containing user username from domain A to the local storage. And then to verify the JWT using the same secret key from a domain B which would lead to a successfull authentication.

I've search google for some answers and I found some of them containing a middle authentication domain, which would take care of authentication. But I would like just to link the two domains I have.

Thanks.

Ales
  • 329
  • 4
  • 14

2 Answers2

6

Cross-origin data storage access from domain B to domain A is not allowed by same-origin policy

Access to data stored in the browser such as localStorage and IndexedDB are separated by origin. Each origin gets its own separate storage, and JavaScript in one origin cannot read from or write to the storage belonging to another origin.

The usual solution is to have a central domain for authentication ( could be A or B) and work with redirections among domains sending the JWT or share the authentication token across domains using an iframe. See details here

OpenId, OAuth and SAML protocol works with redirections, and for example Google web suite has their apps connected trough iframes (Additionally google is an openid-connect provider)

Community
  • 1
  • 1
pedrofb
  • 37,271
  • 5
  • 94
  • 142
0

There's no reason why you can't do this. A JWT isn't really anything special, it's simply a token much like a session ID token. The difference between a JWT and any other token is that it can contain a payload of data.

What you're describing is essentially the password grant of OAuth 2.0. Your SSO system is the authorisation server which can authenticate users and supply them with an access token. The access token can actually be a JWT in this case too. The users (resource oners) can then use their access tokens to access resource servers (your other, related domains), those resource servers can verify that the access token is valid and allow or deny requests.

I use the following library when implementing OAuth 2.0 in PHP: https://oauth2.thephpleague.com/ - there's some good information in the docs too.

edcs
  • 3,847
  • 2
  • 33
  • 56