Tập tành JWT SSO authentication on drupal 8 and angular application

30th Jun 2022
Table of contents

I have got a requirement in my organization. It is as follows.

We have two applications. One is developed in angular and the second is in durpal. We have a all the users data in angular application. if user logged in with angular application and switched to drupal application. We are planning to use the same user details with oath jws token mechanism. By which user can access the drupal pages and angular pages with unique user details.

So, Please help me in finding the process of it. Any modules or blogs or any ides who may have already come across of it.

JWT token should be created and signed on backend with private key. Frontend could receive it with login request.

mo hinh sso

Then you'll be able to send it a new time to other API or with a redirect URL to Drupal for example. (I don't know implementation of Drupal, but I imagine you can catch it when receiving request).

Maybe in your case, you should consider to implement a central IdP/JWT server which is responsible to authenticate user and deliver safe signed JWT. Then you'll be able to connect both Angular app and Drupal app.

Have a look at this page or you can also consider using Auth0.

Hope this will help you a little bit.

  • https://blog.angular-university.io/angular-jwt-authentication/
  • https://auth0.com/


I've some trouble about the logic of handling my SSO login with cas and the jwt state.

Before starting: User to auth to my app, need to visit cas including as a parameter in url the name of app that need to gain access, ex: myapp.com

After the login the user get redirected with 302 to my app, with a JWT appended in the url: myapp.com/?service=JWT-blablabla

This is how I imagined the flow of the app to check if the user is logged or not or if he's coming with a jwt


I have some question

  1. If the user come with a valid jwt appended but he still have in localstorage a valid JWT, which JWT have the priority the one with the freshest expire time or the old one get automatically invalidate by cas? Remember that the jwt need to be validate by my backend

  2. In my http calls I append my bearer jwt, the problem is that I cache my http calls, if the jwt expire and the user don't make http calls, how can I handle that? I need to logout the user I can't wait to make an http call and tell him it's invalid or should I?


Having implemented SSO recently myself, here are some answers to your questions:

  1. The newest token should take priority, but why is this even happening, i.e. why is there a new jwt token in the url? If the user goes to the login page while they still have a valid jwt token in local storage, they should be redirected to your home page (or somewhere), ps. you cannot invalidate a jwt token.

  2. Once the token has expired, your server should return a 401 response; this is what you should look out for. Check if the user has a jwt token in local storage, and if they also receive a 401, then you know the token has expired so make a call to your api to refresh the token, without redirecting the user to the login page.

Bạn thấy bài viết này như thế nào?
2 reactions


Tommy (not verified)
July 12


Add new comment

Enter the characters shown in the image.
Câu nói tâm đắc: “Điều tuyệt với nhất trong cuộc sống là làm được những việc mà người khác tin là không thể!”

Related Articles

Recently I found myself needing to manage cookie data in Drupal 9 for the first time. As oft, my first step in the process was to search through Drupal core and the Drupal API for examples of “the right way” to handle cookies. After I didn’t find any reasonable existing solution within Drupal, it was time to solve this on my own.

Regardless of your position on either side of the web, there is always risk of being a victim of a cyber attack. This has put businesses in a tizz to make personal data of the visitors secure.

we had 5 domain on our website and we need to redirect a user to US domain if user is browsing from US

Migration from one version of Drupal to the other version of Drupal has always been important as it helps to move with time and stay updated with the latest technology.

in this article, I'll show you how to create custom controller with JSON response in Drupal 9