Advice on Single Sign On (SSO) MVP help- Urgent[SOLVED]

engrpeters · December 29, 2019, 11:52pm

Currently we have two apps running (accounts) and the other app .We implemented SSO with iframe postmessage. All works well . Except Apple users have to Disable ‘Prevent cross site tracking’ for them to login without Issues .
We have different ideas around this.

OAuth. But it’s and MVP. They are both ours. so it doesn’t really make sense .
So take a look if I have login on accounts.example.com ,get the token and redirect to music.example.com/login?tok=tokenId , call Meteor.loginWithToken with that token
Second choice is just sad because some that sniff that token

What would you suggest ?

to have an idea of what’s this mess is all about

(https://listen.meteorapp.com)
(https://nb-accounts.meteorapp.com)

rjdavid · December 30, 2019, 9:20am

Add a field for each user account, which you can pass in the url and query the user e.g. random id. Get the active logintoken using that random id and then update that field with a new random id. So you are sure that each id is only used once. Then login the user using the login token

engrpeters · December 30, 2019, 9:54am

What we are thinking of is quite similar. Thanks!

engrpeters · December 30, 2019, 3:55pm

We thought of a Collection of nonce . That will be associated with each login activity

gdc3 · January 6, 2020, 7:03pm

FYI – some SSO products, like Microsoft’s ADFS which is SAML, will not run inside an iframe.