SSO mechanism
-
Hi, I am a little lost about the SSO mechanism, I think i need some better understanding ...
I configurated an API with an OIDC library, to use FusionAuth for authentication. The tokens returned by Fusionauth are stored in "api-own-cookie".
When a webclient calls the API, it has to give the "api-own-cookie".
-
question 1 : if understand well, there we're not using the FusionAuth SSO mechanism because we use our own cookies ? We should have the API to require the FusionAuth cookie to fully rely on SSO mechanism ?
-
question 2: in SSO mechanism, a call of /oauth2/logout?client_id={clientId} or /oauth2/logout?token_id_hint={tokenId} tells the browser to remove the SSO cookie ?
-
-
@quent https://fusionauth.io/docs/v1/tech/core-concepts/users#user-sessions is probably worth reading.
if understand well, there we're not using the FusionAuth SSO mechanism because we use our own cookies ? We should have the API to require the FusionAuth cookie to fully rely on SSO mechanism ?
You can use the SSO mechanism and your own cookies. Your cookies (the access token/refresh token) control access to your API. SSO controls access across APIs.
For instance, let's say you have API 1 and API 2.
The user logs in, gets a token good for API 1. They interact with API 1 and present the access token.
What happens when they go to API 2? Well, no token is available for that API (because the token that was granted was for API 1). So API 2 bounces the user to FusionAuth. However, FusionAuth recognizes the user (because they logged into API 1) and authenticates them based on the SSO session without them doing anything. Then you set your cookie for API 2, then they are sent to API 2 transparently, which reads the cookie and gives the data/access.
question 2: in SSO mechanism, a call of /oauth2/logout?client_id={clientId} or /oauth2/logout?token_id_hint={tokenId} tells the browser to remove the SSO cookie ?
Correct. Depending on your application settings, you can log a user out of just the application or of all applications. But all that is doing is a 'front channel' log out, which ends the SSO session and also calls logout URLs provided by you on the application configuration. More here: https://fusionauth.io/docs/v1/tech/oauth/endpoints#logout
This guide may be helpful to you too: https://fusionauth.io/docs/v1/tech/guides/single-sign-on
-
This post is deleted! -
@dan
Thank you
Seems like my sso isn't working correctly...
I have 2 .net API
http://localhost:11000/apiA
http://localhost:12000/apiB
I can successfully log with fusionauth, I get tokens and own cookie. But the SSO seems to be achieved by the common .net cookie, if I delete it I need to relog again, even if fusionauth SSO cookie is still there... -
It is working now, had some issue on my side
-
Q quent has marked this topic as solved on
