. Net-based Single Sign-On (SSO) solution (1)

There are a lot of SSO solutions, but the search results are disappointing. Most of them are reprinted and described.
When I enter the topic, I want to use the centralized authentication method, and multiple sites will focus on passport verification. As shown in:

To facilitate a clear description, we first define several terms, which are described as follows.

Main Site: Passport verifies server http://www.passport.com/in a centralized manner /.
Substation: Http://www.a.com/?http://www. B .com/?http://www.c.com/
Credential: The data ID generated after a user logs on to the console. It is used to identify authorized users. It can be used in many ways. In the demo, the main station uses cache and the sub-station uses session.
Token: A Unique Identifier issued by passport that can be circulated in each substation.
OK. Now describe the Single Sign-On process:
Case 1: Anonymous Users: anonymous users access an authorization page on Substation A. First, they jump to the master station to allow users to enter their accounts and passwords for Logon. After the verification is passed, the master station creden, are generated, generate a token at the same time and jump back to substation A. At this time, substation A detects that the user has a token. Then, use the token to go to the main station again to obtain the User Token. After obtaining the token, the user is allowed to access the authorization page. At the same time, the local credential of substation A is generated. When the user needs to verify again, the local credential is checked first to reduce network interaction.
Scenario 2: users logging on to substation a access substation B: Because the user has logged on to substation A and has held a token, substation B will use the token to obtain the user credential from the main station, after successful retrieval, the user is allowed to access the authorization page. Generate local creden。 for substation B at the same time.

After the design is complete, the following are some key points of solution implementation:
Token: Tokens are issued by the primary site. The primary site issues tokens to generate user creden; at the same time, and records the correspondence between the tokens and user creden; to respond to the corresponding creden; Based on the token provided by the user; the token must be circulated in different cross-origin substations. Therefore, in the demo, I use the cookie of the main site and specify the cookie. domain = "passport.com ". How do substations share the cookies of the main station? From the substation redirect to the main station page, then the page reads the cookie and returns it as a URL parameter. You can view the detailed implementation in the Demo code, of course, if anyone has a better token implementation method, share it.