OpenId Connect, SSO and SPA

1
votes

Can I use OpenId Connect to implement SSO between two Single Page Applications (SPA)? If yes, what would be the flow.

Scenario: App1 (SPA) starts and uses one of the OIDC flows to obtain Id_token and acccess token. It then makes many REST API calls. At some later time, user clicks on a button that brings up second SPA App2. Both app belongs to same company. Can App2 utilize Id_token and access token obtained by App1 for SSO? Looking at the spec, answer appears to be NO, because these tokens are meant for a specific client. Any other flow that enables SSO between two SPAs using OIDC? or is it outside the scope of OpenId Connect, in which case we have to look at traditional propitiatory solutions like CA, IBM etc. Thanks.

1
oauth-2.0single-sign-onsingle-page-applicationopenid-connect

1 Answers

4
votes

I would use the implicit flow for both apps. It could work like this:

  1. App1 goes to the auth endpoint of the OpenID Connect server. To get the tokens, the user has to get authenticated and the OIDC server may create a session for him (identified by a cookie).
  2. App1 opens a new tab with App2.
  3. App2 doesn't have tokens yet, so it goes to the OIDC auth endpoint. The OIDC server recognizes the session created in step 1 and it may decide decide to release the tokens without authentication and redirect back to App2.

This way, each app would get its own tokens (yes, they are released for a specific client). And the user would not be bothered by authentication for the second app. But the OIDC behavior in step 3 is not standardized and depends on implementation. For example, it may depend on what scopes the apps are requesting - if they are not the same for both apps, the OIDC could require authentication for the second app as well.

If you also need single sign out, there is a specification for that: http://openid.net/specs/openid-connect-session-1_0.html You create two iframes in your apps - one for detecting OIDC session changes and one for communication between the first iframe and the app. The specification contains even examples of the iframe documents.