[Question] How to support single sign on in Meteor?


#1

Hello folks,

We are working on a project which has 2 separated Meteor App website. But the customer asks for Single Sign On support in this project.

For example, a user registered in website A can login website B without registering again and vice versa.

We did some research about this, but still don’t find a proper way to do that. Ideas like:

  1. Build a User account database shared by these 2 Meteor App.
  2. Write some server side code to sync up user account database operations between these 2 websites

Any advices and hints?

Thanks a lot,
-Bryan


#2

Here is your friend:
http://docs.meteor.com/#/full/accounts_api


#3

I’m working with cooloney on this. Let me explain a little further.

Basically there are two sites mysite.cn and mysite.com, one in China and one in US. We don’t want them to share the same mongodb database because database access could be slow. So each site has its own local mongodb database. But we do want them to share the same users collection, in the sense that:

  1. Users are expected to register once and be able to logon to both sites.
  2. Preferably, if a user has logged on one site, he/she is automatically logged on the other site.

For the ability to register once and logon to both sites, just as cooloney said, we are considering two approaches:

  • Build a user account database shared by two sites. Then each site has to access two databases, one local database with all information except users collection, and the other with users collection only. As http://stackoverflow.com/questions/20535755/using-multiple-mongodb-databases-with-meteor-js suggests, for a meteor app to access an additional database is possible but without opLog capability.

  • Each site has its own users collection, but runs collection insertion/updating/removal hooks to sync with the other site. For this approach some transaction and roll back mechanism must be implemented: what if local database is updated successfully but synchronizing with remote database fails?

For the ability to automatically logon, I see this package https://atmospherejs.com/admithub/shared-auth , it achieve this by embedding iframe of sites to each other, and then passing loginTokens between pages and iframes. I haven’t tried it yet, I’m not sure if this is secure enough.

Any suggestion is appreciated!

By the way, I see how forum .meteor.com accounts are derived from www .meteor.com accounts, this may not be convenient enough for the user, but at least both sites share the same username/password. I’m curious how this is implemented. Thanks!


#4

Mhh. Interesting I’m looking for something similar. I had a different strategy in mind though. I planned an OAuth provider and share it between the apps…

Sandstorm.io might be an interesting case, I figure. Users are authenticated on Top-Level and the sandstorm apps get this authentication passed in via http-headers:

https://docs.sandstorm.io/en/latest/developing/auth/


#5

Suggestions:

http://merbist.com/2012/04/04/building-and-implementing-a-single-sign-on-solution/
http://themeteorchef.com/recipes/roll-your-own-authentication/

Don’t forget to read this:

Example thingie:


#6

Thank you. I will look into it.


#7

The easier way would probably be to run an OAuth server and use that for your accounts system.


#8

Can you share how to solve the above one??

I am thinking that I will make one more meteor app and then

the two application will delegate the login process to the third one.

I think login with password seems OK but login with facebook would be difficult…

Can you share your solution and give me some advice??