Tập tành JWT SSO authentication on drupal 8 and angular application30th Jun 2022
I have got a requirement in my organization. It is as follows.
We have two applications. One is developed in angular and the second is in durpal. We have a all the users data in angular application. if user logged in with angular application and switched to drupal application. We are planning to use the same user details with oath jws token mechanism. By which user can access the drupal pages and angular pages with unique user details.
So, Please help me in finding the process of it. Any modules or blogs or any ides who may have already come across of it.
JWT token should be created and signed on backend with private key. Frontend could receive it with login request.
Then you'll be able to send it a new time to other API or with a redirect URL to Drupal for example. (I don't know implementation of Drupal, but I imagine you can catch it when receiving request).
Maybe in your case, you should consider to implement a central IdP/JWT server which is responsible to authenticate user and deliver safe signed JWT. Then you'll be able to connect both Angular app and Drupal app.
Have a look at this page or you can also consider using Auth0.
Hope this will help you a little bit.
I've some trouble about the logic of handling my SSO login with cas and the jwt state.
Before starting: User to auth to my app, need to visit cas including as a parameter in url the name of app that need to gain access, ex: myapp.com
After the login the user get redirected with 302 to my app, with a JWT appended in the url:
This is how I imagined the flow of the app to check if the user is logged or not or if he's coming with a jwt
I have some question
If the user come with a valid jwt appended but he still have in localstorage a valid JWT, which JWT have the priority the one with the freshest expire time or the old one get automatically invalidate by cas? Remember that the jwt need to be validate by my backend
In my http calls I append my bearer jwt, the problem is that I cache my http calls, if the jwt expire and the user don't make http calls, how can I handle that? I need to logout the user I can't wait to make an http call and tell him it's invalid or should I?
Having implemented SSO recently myself, here are some answers to your questions:
The newest token should take priority, but why is this even happening, i.e. why is there a new jwt token in the url? If the user goes to the login page while they still have a valid jwt token in local storage, they should be redirected to your home page (or somewhere), ps. you cannot invalidate a jwt token.
Once the token has expired, your server should return a 401 response; this is what you should look out for. Check if the user has a jwt token in local storage, and if they also receive a 401, then you know the token has expired so make a call to your api to refresh the token, without redirecting the user to the login page.