I can not understand how to configure single sign-on between my application and another application we've deployed. I was trying again to set up this stuff, so I hoped that someone could explain if I'm on the right track, both from the point of view of the operation and the security.
We have our app (let's say it's https://app.mydomain.com).
- Our users connect to it with their user / pass.
- This application uses angular and webapi.
- The connection endpoint uses Microsoft.AspNet.Identity.Owin.SignInManager.
All this has been put in place by our previous developer, so my knowledge of how it works is not as good as I would like.
We now want to allow our users to use Jupyter Notebook. Let's say we have this configuration at https://jupyter.mydomain.com. And, as they are already connected to our app, we do not want them to be forced to reconnect to Jupyter.
One of our AWS guys set up Jupyter with the help of jwtauthenticator. His initial request was that I code our app to do the following:
- Generate a JWT token in our application.
- Add a link in the app that would open jupyter.mydomain.com in a new tab.
- Pass a
Authorization: bearer header when this link is clicked.
He tested sending this header in PostMan successfully. However, on the apps side, I do not believe it's possible to tell the browser to send headers when opening in a new tab, so this solution does not work.
The following suggestion from our AWS manager has decided to configure it with the help of query parameters. Basically, something like:
It also worked for him in PostMan and I'm pretty sure it would work in the application. But is not that a security risk, even with HTTPS? I think at least that the token is registered in the server logs, which, in my opinion, is not a good idea.
The idea of query parameter m was reminiscent of using POST because I think the token would be encrypted at that time. But, even if I am correct, it seems that jwtauthenticator will not handle POST requests. I guess it could be changed to handle them, but I'm not sure that's the right solution.
After reviewing the jwtauthenticator code, it looks like he will also look for a cookie named XSRF-TOKEN. That's what I thought is the appropriate solution, but I'm not sure. Moreover, I can not make it work.
Here's what I do:
- The user clicks the link that reaches an endpoint (for example, api / auth / jupyter)
- The endpoint generates a JWT token
- Endpoint sets the cookie.
- The name is XSRF-TOKEN.
- The value is the JWT token string.
- Secure is true
- HttpOnly is wrong
- The domain is mydomain.com
- The path is /
- The OK response with the cookie is returned to the client (DevTools for app.mydomain.com indicates that the cookie is set).
- Call window.open ("https://jupyter.mydomain.com") (DevTools for jupyter.mydomain.com also indicates that the cookie is set).
Unfortunately, I get a 401 error. I've also tried setting this cookie in PostMan and testing it, which also corresponds to a 401. Judging by the jwtauthenticator code, I think the only thing that could occur is that the cookie is not read.
So, I guess I have a few questions:
Is there a security reason that would prevent the cookie from being read? I've assumed that since they are on the same domain, the problem would not arise.
Assuming I can have the problem with reading the cookie, is it secure? I'm afraid that there is still a problem of CSRF.
In general, is this an appropriate way to provide SSO? Or are we going in the wrong way? I know that security is not always easy, but our guy AWS and I spent a lot of time trying to find a solution. It seems easy. All we have to do is send the token to the Jupyter server. But it turns out to be very difficult, which makes me think that we are doing the wrong thing.