Identity authentication System (ii) Single sign-on for multiple Web applications

With the development of the Internet, the complexity of Web applications has been improving, and a single Web application has been unable to meet complex business requirements. For example, Baidu's search, news, encyclopedia, bar Paste, in fact, are different sites. When users use these platforms, we certainly do not want users to have a separate account on each platform, otherwise users and developers may be tempted to cry. So we need a system where a user can log in once to access all of the trusted applications, which we call a single sign-on (Sso,single) system.

Simple implementation

In the last section of the previous chapter of this series, we introduced the cookie-based authentication model, which we can actually easily implement with a single sign-on system. Generally we have multiple sites of the same system under the same top-level domain (for example,. baidu.com.cn), so that we can let these sites share the same top-level domain cookie. So as long as a site login, all sites can get login authentication information. But there are two drawbacks to this approach:

1, we can not guarantee that all our subsystems are under the same top-level domain name.

2, each site to implement a set of login authentication function.

Authentication and authorization

Before discussing how to solve the shortcomings of a single sign-on system based solely on cookie, we have to discuss another topic, namely, the separation of authentication and authorization.

We generally say that the login system refers to: identify the user, and then allow users to access resources that meet their identity rights. There's actually two things here, identifying the user identity This step we call authentication, allowing the user to access resources that meet their identity rights is what we call authorization. In traditional single-site applications, we rarely discuss authentication and authorization separately, because the login function is simple at the time. However, the authentication and authorization of modern web sites tend to be diversified. For example, in the authentication, we can use the account password, SMS verification code, OAuth, face recognition and so on, the same site for the licensing requirements and permissions of the system are different. Because of the diversification and difference of the two, in order to reduce the coupling and improve the cohesion, we need to distinguish the authentication from the authorization process.

Implementing a single sign-on system

When we understand the concept of authentication and authorization, we will naturally find that, in general, when the site needs the same set of certification system, in fact, their authentication system is unified, and the authorization process may vary.

Let's think about how we solve a similar problem in real life: when we identify a person as an employee of our company, we have a unified department that produces and issues a work permit for our employees, and the employee has a different message on this badge. Decided what he could do in every department of the company.

Similarly, we can create a unified certification site to be responsible for the authentication of this step. When a user accesses a protected resource of one of our sites, we first redirect the user to the unified authentication site, and if the user is not logged in, jumps to the login interface of the unified authentication site to log in, generates a user's identity ticket (like a work card) after successful login, and then returns the ticket information to the site visited by the user If the user is logged in, skip the sign-in step and return the user's identity ticket directly to the site visited by the user, and the different sites then determine whether the user has access to the responding resources according to their own authorization system.

In this way, we have solved the problem that the domain name may not be unified, and only need to realize the unified sub-login authentication function.

Identity authentication System (ii) Single sign-on for multiple Web applications