Tập tành JWT SSO authentication on drupal 8 and angular application

30th Jun 2022
Table of contents

I have got a requirement in my organization. It is as follows.

We have two applications. One is developed in angular and the second is in durpal. We have a all the users data in angular application. if user logged in with angular application and switched to drupal application. We are planning to use the same user details with oath jws token mechanism. By which user can access the drupal pages and angular pages with unique user details.

So, Please help me in finding the process of it. Any modules or blogs or any ides who may have already come across of it.

JWT token should be created and signed on backend with private key. Frontend could receive it with login request.

mo hinh sso

Then you'll be able to send it a new time to other API or with a redirect URL to Drupal for example. (I don't know implementation of Drupal, but I imagine you can catch it when receiving request).

Maybe in your case, you should consider to implement a central IdP/JWT server which is responsible to authenticate user and deliver safe signed JWT. Then you'll be able to connect both Angular app and Drupal app.

Have a look at this page or you can also consider using Auth0.

Hope this will help you a little bit.

  • https://blog.angular-university.io/angular-jwt-authentication/
  • https://auth0.com/


I've some trouble about the logic of handling my SSO login with cas and the jwt state.

Before starting: User to auth to my app, need to visit cas including as a parameter in url the name of app that need to gain access, ex: myapp.com

After the login the user get redirected with 302 to my app, with a JWT appended in the url: myapp.com/?service=JWT-blablabla

This is how I imagined the flow of the app to check if the user is logged or not or if he's coming with a jwt


I have some question

  1. If the user come with a valid jwt appended but he still have in localstorage a valid JWT, which JWT have the priority the one with the freshest expire time or the old one get automatically invalidate by cas? Remember that the jwt need to be validate by my backend

  2. In my http calls I append my bearer jwt, the problem is that I cache my http calls, if the jwt expire and the user don't make http calls, how can I handle that? I need to logout the user I can't wait to make an http call and tell him it's invalid or should I?


Having implemented SSO recently myself, here are some answers to your questions:

  1. The newest token should take priority, but why is this even happening, i.e. why is there a new jwt token in the url? If the user goes to the login page while they still have a valid jwt token in local storage, they should be redirected to your home page (or somewhere), ps. you cannot invalidate a jwt token.

  2. Once the token has expired, your server should return a 401 response; this is what you should look out for. Check if the user has a jwt token in local storage, and if they also receive a 401, then you know the token has expired so make a call to your api to refresh the token, without redirecting the user to the login page.

Bạn thấy bài viết này như thế nào?
2 reactions


Tommy (not verified)
July 12


Add new comment

Enter the characters shown in the image.
Câu nói tâm đắc: “Điều tuyệt với nhất trong cuộc sống là làm được những việc mà người khác tin là không thể!”

Related Articles

Hướng dẫn từng bước set up một project PHP theo mô hình MVC. Bạn có thể sử dụng source này để tiết kiệm thời gian set up cho project của mình.

All examples are example-style, which means they don't follow best practices (e.g. dependency injecton). This is done to keep them as simple as possible.

The rapid evolution of diverse interfaces and applications has given rise to a dizzying array of digital channels to support.

Under Form Validation Define Counter - Character, Countet Maimum - 1000, Counter Maximum Message - %\%d Characters remaining