Tập tành JWT SSO authentication on drupal 8 and angular application

30th Jun 2022
Table of contents

I have got a requirement in my organization. It is as follows.

We have two applications. One is developed in angular and the second is in durpal. We have a all the users data in angular application. if user logged in with angular application and switched to drupal application. We are planning to use the same user details with oath jws token mechanism. By which user can access the drupal pages and angular pages with unique user details.

So, Please help me in finding the process of it. Any modules or blogs or any ides who may have already come across of it.

JWT token should be created and signed on backend with private key. Frontend could receive it with login request.

mo hinh sso

Then you'll be able to send it a new time to other API or with a redirect URL to Drupal for example. (I don't know implementation of Drupal, but I imagine you can catch it when receiving request).

Maybe in your case, you should consider to implement a central IdP/JWT server which is responsible to authenticate user and deliver safe signed JWT. Then you'll be able to connect both Angular app and Drupal app.

Have a look at this page or you can also consider using Auth0.

Hope this will help you a little bit.

  • https://blog.angular-university.io/angular-jwt-authentication/
  • https://auth0.com/

Issue

I've some trouble about the logic of handling my SSO login with cas and the jwt state.

Before starting: User to auth to my app, need to visit cas including as a parameter in url the name of app that need to gain access, ex: myapp.com

After the login the user get redirected with 302 to my app, with a JWT appended in the url: myapp.com/?service=JWT-blablabla

This is how I imagined the flow of the app to check if the user is logged or not or if he's coming with a jwt

JWT

I have some question

  1. If the user come with a valid jwt appended but he still have in localstorage a valid JWT, which JWT have the priority the one with the freshest expire time or the old one get automatically invalidate by cas? Remember that the jwt need to be validate by my backend

  2. In my http calls I append my bearer jwt, the problem is that I cache my http calls, if the jwt expire and the user don't make http calls, how can I handle that? I need to logout the user I can't wait to make an http call and tell him it's invalid or should I?

Solution

Having implemented SSO recently myself, here are some answers to your questions:

  1. The newest token should take priority, but why is this even happening, i.e. why is there a new jwt token in the url? If the user goes to the login page while they still have a valid jwt token in local storage, they should be redirected to your home page (or somewhere), ps. you cannot invalidate a jwt token.

  2. Once the token has expired, your server should return a 401 response; this is what you should look out for. Check if the user has a jwt token in local storage, and if they also receive a 401, then you know the token has expired so make a call to your api to refresh the token, without redirecting the user to the login page.

Bạn thấy bài viết này như thế nào?
2 reactions

Comments

Tommy (not verified)
July 12

drupal.com/jwt/token
drupal.com/session/token

Add new comment

Image CAPTCHA
Enter the characters shown in the image.
Câu nói tâm đắc: “Điều tuyệt với nhất trong cuộc sống là làm được những việc mà người khác tin là không thể!”

Related Articles

Master list (in progress) of how to get parts of fields for use in Twig templates. I’m always having to look these up, so I thought I’d hash them out and write them down.

Litespeed Cache là plugin WordPress dùng để kết hợp với Web Server LiteSpeed nhằm tăng tốc website WordPress của bạn gấp nhiều lần

In this article, we are going to see how some tools & libraries will make people's lives easier during the development & code review process.

In this tutorial, you will learn how to improve the custom code, theme and module, and general code development by using the pre-commit hook on git

Trước khi tìm hiểu xem PHP Code Sniffer là gì thì các bạn cần phải nắm được coding convention là gì đã.