Sina SSO login process analysis [Single Sign-On Analysis]

Recently I have studied the Sina CAS login process and found that Sina SSO implements Yale-CAs and adds a bit of new things. The interaction process of the basic authentication process remains unchanged. The original idea is to implement Single-point Ajax login, which is quite cool. The implementation principle is IFRAME + Javascript Callback function.

I. Basic SSO

The basic SSO is to implement unified login under the same top-level domain name by planting cookies for top-level domain names. For example:

Single Sign-On address: sso.xxx.com/login.jsp

Application 1: web1.xxx.com/login.jsp

Application 2: web2.xxx.com/login.jsp

Application 3: web3.xxx.com/login.jsp

Login process:

Scenario 1: (the user has never logged on)

1. the user accesses web1.xxx.com/login.jsp and redirects web1 to sso.xxx.com/login.jsp.

2. user input for verification, successful. The tokenid of the cookie in the .xxx.com domain of sso.xxx.com is redirected to web1.xxx.com/login.jsp, And the tokenid of the cookie in the .xxx.com domain accessed by web1.xxx.com determines that the system has logged on.

Scenario 2: (the user has logged on) log on directly.

Ii. Sina SSO

Sina implements cross-domain unified login, which is based on cookies in essence. If you disable cookies, you cannot log on to them in any way. For example, the Sina SSO server is login.sina.com.cn/sso/login.php.

The Weibo login address is weibo.com/login.php. The callback function and IFRAME are used to implement cross-level domain name login.

The authentication process is as follows: This section only describes the process that the user has never logged on.

1. Enter weibo.com/login.php

2. Enter the user name. After the user name is entered, when the focus of the user name input box is lost, the page number sends a request to the server login.sina.com.cn/sso/prelogin.php through Ajax. The parameter is user (the user name just entered ). The service returns server time and nonce authentication and writes the data to JavaScript variables through the callback function.

3. Enter the password and click Login. the post request is sent on the page (it must be noted that it is an Ajax request not sent by login. php ),

Login.sina.com.cn/sso/login.php? Client = ssologin. JS (v1.3.12), the request is initiated on an invisible IFRAME page in weibo.com/login.php. The parameters are the server time and nonce obtained in step 2, the user name and encrypted password. The returned cookie TGT is in login.sina.com.cn. Modify the IFRAME address to weibo.com/ajaxlogin.php? Ticket = xxxxxx. Note that ticket is very important. This is the credential for user login and service.

4. How does IFRAME access weibo.com/ajaxlogin.php? Ticket = xxxxxx: User Login. The returned cookie is under .weibo.com to record user login information.

5. Access weibo.com/login.php again through Js. Because the cookie has been written, the login succeeds, and the server sends 302 to redirect to the user's homepage. Weibo.com/userid.

6. Now, the login process is complete.

 

Not complete ....