FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Cross-platform SSO

    Scheduled Pinned Locked Moved
    Q&A
    0
    4
    659
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stunny
      last edited by

      Hi there. I'm trying to implement SSO for cross-platform SSO. Let's say an end user signs into a dekstop application and then clicks a link that opens a browser with web app. They share the same user base.

      The problem I ran into is that those apps don't share same backend and as I mentioned one of them is not run in browser.

      I'm thinking of using the same FusionAuth application and then pass the access token as url parameter (when and end user logs into the desktop app and tries to access the web app). I know that passing the token in url is not the best solution. Do you have some better advice maybe? Thanks!

      1 Reply Last reply Reply Quote 0
      • M
        maciej.wisniowski Power User
        last edited by

        Hi. I don't understand your issue. Do you want to have same users in the web browser and in the desktop application or not?

        I can tell how we've implemented the desktop application integration with the FusionAuth and our web application (same users everywhere). It works in the following way:

        1. The desktop application user triggers login event (eg. clicks Log in button) and a browser window with FusionAuth login page is opened.

        2. As Soon as the user logs in (they might be even already logged in due to SSO) FusionAuth redirect the browser window to the page that triggers opening a custom protocol link, eg. myprotocol://openmyapp with the parameters necessary to complete Authorization Code flow (these are from FusionAuth).

        3. Desktop application is configured to be opened when such a custom protocol is requested (for mac/Linux this is a XDG open mechanism)

        4. Desktop application completes the Authorization code grant flow (using provided parameters) with FusionAuth and gets access token and refresh token.

        From this point, the desktop application can issue requests to the backend APIs using the accessToken.

        1 Reply Last reply Reply Quote 0
        • S
          stunny
          last edited by

          Hi and thanks for sharing your case.

          The goal here is:

          1. The user logs into desktop application.
          2. Then clicks on a link, e.g. "Edit account", that actually leads to a web application on a browser.
          3. The user gets logged into the desktop application without needing to enter credentials again. Of course, if the user just accesses the same page directly from the browser (not from the desktop application), then the Authorization Code flow is implemented.
          1 Reply Last reply Reply Quote 0
          • M
            maciej.wisniowski Power User
            last edited by

            What do you mean by 'user logs into desktop application'? How would you like to implement it?
            If you implement step 1. as I've described in my previous post (by opening the browser window to log the user in) then there will be an SSO session in the browser already.
            This is the flow that OAuth specs define for native applications, eg. desktop ones: https://datatracker.ietf.org/doc/html/rfc6749#section-9

            This means that in step 3. when the browser is opened, the user is already authenticated.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post