concept

Single sign-on (SSO)

In multiple application systems, you only need to log in once to access other trusted applications.

For example: Taobao.com (www.taobao.com), Tmall (www.tmall.com), Ju.taobao.com (ju.taobao.com), fezhu.com (www.fliggy.com), etc. These are the websites of Alibaba Group. We log in to one of these sites and then visit the other sites without having to log in again, which is the main purpose of SSO.

benefits

User perspective

Users can log in and use multiple times, no need to record multiple sets of user names and passwords, save worry.

System Administrator

The administrator only needs to maintain a unified account center on it, convenient.

New system development perspective

During the development of the new system, only the unified account center can be directly connected, which simplifies the development process and saves time.

The technical implementation

The flow chart

The process is introduced

Without this introduction, the picture above would have been confusing.

System A and System B are separated from the front and back ends. For example, the React/Vue/Angular components used by the front-end framework are independently deployed after being compiled by NPM. The front and back ends interact with each other through HTTP interfaces.

SSO certification authority is either separated from the front and back ends, or front-end and back-end code are deployed in one project.

Why do we use these two cases?

In fact, the purpose is to have these two cases on the flow chart, so that it is clear, later change to either one will be clear.

Consider this:

The three systems are separated from the front and back ends. How should the flow chart be adjusted?

When the three systems are not separated from the front and back ends, how should the flow chart be adjusted?

External interface

System A and system B: User exit interfaces.

SSO authentication center: user exit interface and token authentication interface.

The login

As the above flow chart is consistent.

System A and system B: Use the token authentication to log in.

SSO authentication center: Use session authentication to log in.

The front and back ends separate items, login is solved by token, and the front end must pass token parameters every time it requests the interface.

exit

The figure above shows a flow chart for exiting from a system.

You can also log out of the SSO authentication center and obtain the user logout interface of each system.

When the user performs another operation, the SSO login page is displayed.

Token Generation Mode

Global sessions can be created using sessions, stored in Redis.

Token generation can be done using JWT.

PHP JWT reference address: https://github.com/lcobucci/jwt

Of course, you can also customize how tokens are generated.

summary

Explain what SSO is, as well as the use and benefits of SSO, at the same time according to the flow chart step by step comb, basically can achieve.

During any problems, you can follow the public account and I communicate.

extension

Difference between SSO and OAuth

When talking about SSO, many people think of OAuth, and there are also those who think of SSO when talking about OAuth. Here I will briefly say the difference.

In a popular interpretation, SSO deals with the login between different application systems within a company. For example, Alibaba owns many application systems, and we only need to log in to one system to realize the jump between different systems.

OAuth is an authorization scheme and agreement followed by different companies, usually provided by large companies, such as Tencent and Weibo. The advantage of using OAuth is that we can use other third-party accounts to log in to the system, which reduces the risk of user loss caused by lazy users who are unwilling to register.

Now some payment services also use OAuth, such as wechat Pay, Alipay pay.

There are some open platforms also use OAuth, such as Baidu open platform, Tencent open platform.

Relationship between SSO and RBAC

If an enterprise has multiple management systems, the current unified login authentication is used instead of one login for each system.

Then each management system has access control. Learning from the experience of unified login authentication, we can also make a unified RBAC permission authentication.

Recommended reading

  • The problem of three buckets divided equally into eight liters of water – “The Joy of algorithms”

  • Having used Redis, I didn’t even know Rdb

  • Composer package development is surprisingly easy

This article is welcome to forward, forward please indicate the author and source, thank you!