Yes, SSO using OAuth is a viable solution, but it’s not the simplest one. When building anything new, OAuth 2.0 is the way to go. The OAuth standards cover a lot of ground. The primary advantage of OAuth is that it allows users to give 3rd party apps access to their account without disclosing their … Read more
You can change the button link to this format – http://<domain.com>/auth/realms/<realm-name>/protocol/openid-connect/registrations?client_id=<client_id>&response_type=code&scope=openid email&redirect_uri=http://<domain.com>/<redirect-path>&kc_locale=<two-digit-lang-code>
I had a similar problem on a JHipster-generated web application. Finally I decided to go with the SocialAuthenticationFilter option from Spring Social (via the SpringSocialConfigurer). After a successful social login, the server automatically generates and returns the “own” access token via redirection to the client app. Here’s my try: @Configuration @EnableResourceServer protected static class ResourceServerConfiguration … Read more
I would like to suggest a completely different approach to your problem. Instead of copying cookies from one place to another (manual sync), let’s make HttpURLConnection and WebViews use the same cookie storage. This completely eliminates the need for sync. Any cookie updated in any one of them, will be immediately and automatically reflected in … Read more
Well, rather than looking at the vulnerability, let’s look at the possible attack vectors. I’ll add a table here as a TL/DR Attacker | Vulnerable? Eavesdropper | Yes MITM | Yes Local Attack | Yes Server Attack | Yes So yes, it is an issue. Remote Attacker, can observe traffic, but cannot modify traffic Consider … Read more
The cookies are set on specific domains. Ex: setcookie(name,value,expire,path,domain) When you log in on gmail, before “mail.google.com”, you have been redirected to “accounts.google.com” then to “mail.google.com” so the cookies are on “accounts.google.com” too. In this case, the domain is “accounts.google.com” and the path is “/” (the home path). When you request “www.youtube.com” then you click … Read more
What problems are you having configuring OpenSSO? I found OpenSSO to be the easiest setup! My notes on getting the basic IDP up and running are below – hopefully they help you get up and running. Michael I’ve found that the best (i.e. most painless) way is… Use Glassfish – this is a well supported … Read more
Well, there are certainly many ways to achieve it, and it can be tricky. I can give you one solution as an example: Consider two apps on different subdomains: The Fine Corinthian Turkey Shop (turkey.example.com) Rent a Baboon (monkey.example.com) These two web apps want to share signon, and arrange for a third hosted website for … Read more