Hi
We are looking to implement single sign in into our application. If the API and Angular App is hosted on different domains, would the Single Sign In still work out of the box?
[HttpPost]
public async Task<AuthenticateResultModel> Authenticate([FromBody] AuthenticateModel model)
{
....
if (model.SingleSignIn.HasValue && model.SingleSignIn.Value && loginResult.Result == AbpLoginResultType.Success)
{
loginResult.User.SetSignInToken();
returnUrl = AddSingleSignInParametersToReturnUrl(model.ReturnUrl, loginResult.User.SignInToken, loginResult.User.Id, loginResult.User.TenantId);
}
...
}
Regards Dreamsmiths
11 Answer(s)
-
0
Hi @dreamsmiths,
The "SingleSignIn" in the code you have shared is kind of a workaround. It allows a user to login both on Angular and Public websites once. This approach works when you host API, Angular App and Public App on different servers/domains unless you use the same database.
If this is not you want, you might consider using Identity Server 4.
-
0
What do you mean by: "unless you use the same database" ?
"It allows a user to login both on Angular and Public websites once. This approach works when you host API, Angular App and Public App on different servers/domains unless you use the same database."
Just to confirm:
- this mean the user can log into the angular app, and he will automatically be logged into the Public website
- this works when you have the api, angular app and public website hosted on different domains
- this doesnt work if you use one database? (this doesnt make sense to me)
-
0
@dreamsmiths sorry it is my miskate. You need to host angular app and public website on different domains. Single database will work without a problem.
-
0
Thanks for the feedback.
Just to 100% sure.
- user can log into Angular app (hosted on domain A)
- user will then automatically be logged in on public app (hosted on domain B)
- single database works fine
correct?
-
0
@dreamsmiths exactly :)
-
0
Sorry about all the questions, but I'm struggling to grapple how this would work (security wise):
If I log into Site A, I can then do an API call from Site B to get the details of the person who logged in?
- Can you provide an example of this API call?
- I assume you have to set permissions somehow which websites have access to this login information, where would I set this?
I couldn't find too much documentation on this: <a class="postlink" href="https://www.aspnetzero.com/Documents/Development-Guide-Core#single-sign-on">https://www.aspnetzero.com/Documents/De ... le-sign-on</a>
-
0
@dreamsmiths it roughly works like this;
When you click login on public website it redirects you to admin (MVC) website. If user is not logged in on admin website, user is redirected to login page.
Then, admin website generates a key (guid) and updates user with this guid (SignInToken field). There is also an expiration for this token on SignInTokenExpireTimeUtc field.
So, admin website encrypts this token and combines with TenantId and UserId properties of user and redirects back to public website.
Public website decrypts this value and gets userId, tenantId and token. Tries to find user with those 3 information. If there is such a user, public website automaticall logs-in the user.
-
0
Hmm. So this statement is not completly this simple?
- user can log into Angular app (hosted on domain A)
- user will then automatically be logged in on public app (hosted on domain B)
If I am understanding correctly the user first has to click on the login button on the public app, before he will be shown as logged into the public app?
In other words he can go directly to the admin portal and login, but then when he manually navigates to the public app he won't show as logged in? He first has to click the login button?
-
0
Yes, that's how single sign-on works.
-
0
Thanks for the response.
The example you provided shows that all three sites are hosted on the same domain. Would the process work exactly the same when hosting on three different domains?
Because I believe step 9 in the example "Turkey can now retrieve the ticket from the cookie" wont be as easy if on different domains, because cookies cannot be read across different domains
-
0
Correct. ASP.NET Zero solves that by passing an encrypted token instead of putting a GUID in the cookie.