preface

Enterprises may have multiple level 1 domain names. In order to provide better user experience, they do not need to log in to each site once. Therefore, single sign-on (SSO) is required. If you log in to one site, the other sites synchronize the login status, making the jump between sites more smooth.

The outline

  • Login on the Internet
  • The session with a cookie
  • Single sign-on (sso)

Login on the Internet

What is login?

Login refers to the realization of determining the current user between clients and servers.

At present, most Internet login methods are mobile phone number, social account login and so on. For C/S architecture websites, device IDS are not directly used for login.

  1. The device ID is unreliable and easy to forge
  2. A device needs to log in to multiple accounts

The main source is safety and reliability. Instead of relying on hardware, rely on upstream carriers or third-party social networks.

Ps: Now almost all Internet products need to bind mobile phone numbers for compliance and convenience of user operation.

The session with a cookie

Session is user data stored in server memory. Cookies are a way of adding state to stateless HTTP, stored on the client side.

Cookie saves the sessionID, the server saves the relationship between sessionID and session, a request comes, can query session data according to the sessionID, and then realize the business logic.

The Internet mostly uses micro-service architecture. Take e-commerce for example, such as user service, order service and commodity service. Each service keeps a copy of session data, which involves status updates, so most services get session data from user services.

But there are still problems:

  1. The user service has multiple servers of its own and still has state management issues
  2. The server memory usage is more significant in a scenario with a large number of users
  3. Other services are under pressure to request data from user services

Stateless login

JWT (JSON Wen Token) : Stores the user status in JSON format on the client. This typically includes the user ID and some necessary data, since the user ID information is used in most scenarios. This information encrypts the user’s information at login and then sets it into a cookie. Each request will carry JWT, and each service only needs to obtain the basic information of the user through the decryption algorithm, without initiating a request to the user service.

Single sign-on (sso)

Single sign-on (SSO) is a unified method for cross-domain login in web scenarios.

Cookies can only be written to the current domain and its parent domain. So many secondary domain name (a.com, b.com), how to synchronize the login state?

Method 1: Synchronize the login

Classify a number of secondary domain names, sub-primary domain name and sub-domain name. There is only one primary domain name and multiple secondary domain names.

After the login succeeds with the current domain name, a time-dependent token is generated, and the login synchronization interface of other domain names is called in batches and the token is carried. Then, the synchronization succeeds. Of course, ajax calls are cross-domain, so you can do CORS(cross-domain resource sharing) or jSONP calls.

Advantages:

  1. Login synchronization, low frequency, low service pressure
  2. To achieve smooth, only affect the login function, no impact on the entire website architecture

Disadvantages:

  1. The incognito mode function of the browser cannot be used, which needs to be considered from the product level
  2. If there are too many subdomain names, the login experience of the current site may be affected (the login speed may be slow).

Method 2: Synchronize during use

After a successful login to a.com, the login is not immediately synchronized to b.com.

When using b.com, the user invokes a.com to obtain the code, the server consumes the code, and the login succeeds.

This method requires a login check on all pages of the B.com site.

Advantages:

  1. The master logic is not affected
  2. Log in only when using

Disadvantages:

  1. Due to the need to check all pages as they come in, there are some adjustments to the existing page architecture
  2. Or because of the above point, when the user information needs to be updated, the page is refreshed or the user status is updated internally without updating (for large websites, this will be difficult, because there are many modules and the function of obtaining user information may not be standardized).
  3. Stealth mode cannot be used

Method 3: Front-end maintenance Token

That is, the login state is stored in the front-end cache. The above two methods continue http-only cookies and are relatively secure.

Front-end maintenance of tokens is all API requests, requiring the site to handle Token carrying issues, unlike cookie browsers that do it for you. In this way, the master site saves the token to the cache after the master site logs in. After entering the sub-site, postMessage gets the master Token by embedding the master page through iframe. It can even get the Token from the master every time without copying it to the sub-site.

This is how Google and its YouTube subsidiary do it.

Advantages:

  1. Stealth mode is available
  2. Front-end maintenance token is flexible, and multiple accounts can be used for different tabs in the same browser

Disadvantages:

  1. Security issues, vulnerable to third-party scripts (such as third-party NPM packages, statistical scripts, XSS injection). Unless you don’t use tripartite scripts or tripartite scripts are white box to you, and params has XSS defenses for all user input and page URLS, all user logins using the site will be exposed.
  2. It has a big impact on the website architecture (if you start using cookies)

Method 4: Unified Passport

All logins are in the unified portal, and all unlogged sites are redirected to this portal for login or login status synchronization. After login, you need to generate a one-time consumption Token, which is carried to the sub-site consumption Token page. After successful login, the sub-site is redirected to the page that the user wants to visit.

Advantages:

  1. Simple and crude, all logins are done through unified entry and redirection
  2. Stealth mode is available

Disadvantages:

  1. The experience is not very good, there will be a page jump process

conclusion

Through this article, we have learned how Internet login is implemented and the role of Session and Cookie. Finally, we introduce our topic, several ways to implement single sign-on, and the pros and cons of each.

It can be seen that each implementation method has advantages and disadvantages. We need to comprehensively analyze the current business scenarios to determine the implementation method. There is no good or bad way to implement it. It is empty talk to discuss solutions without looking at scenarios. Making acceptable trade-offs for the scenario, and in keeping with the future trend of the scenario, is the way to architecture!

The above.