Reputation: 11
Is it possible to re-use access token at multiple server - IdentityServer4
Currently, we are building a web-based application, and we have web-server and we have application server host our resources. Also we will use Mule ESB to be able to use any web-service or api. And we will have Alfresco DMS solution and we will use alfresco service with Mule ESB .
We are investigating how we can implement SSO approach for this scenario. We have already IdentityServer4 for identity federation. It issues access token for client, and we need to authenticate the user whenever the user at the Mule ESB side without asking user the credentials again. According to my researches, external Identiy provide can be added on Mule ESB. The thing we do not is that can the access token issued the cliet while user logging into application server be passed to Mule ESB and Mule ESB can validate the access token before
Actually, the question that we are looking for answer is that is it possible issue client an access token only for once, then validate this token in each side (Mule ESB, Alfresco) without asking user to enter the credentials again and again.
Upvotes: 1
Views: 682
Answers (1)
Reputation: 13059
Using access token for multiple applications is not recommended. This is highlighted through this and this resources. Basically scope of the access token must be restricted. This is to precent access token being misused.
In your scenario, you have multiple applications. If you goal is to use one access token shared across all of them, I suggest not to do that. Instead, you may use single access token against multiple APIs given that you request access tokens with such scope. For example, APIs in ESB can be designed to accept access tokes if scope allowed to do so (scope can be validated from API endpoint through token introspection). But allow each client app to obtain their own tokens. This make your architecture more secure.
One solution for SSO is to allow browser based SSO. Identity providers maintain a session in the browser. So if one of your client go through a login, your next client will use that previous session to skip the login page. This is essentially a SSO behavior. For example this is what allows you to use Gmail, Youtube and Google Drive with single login. Browser maintain a session with Google. Each app obtain tokens, but skipping login page.
Upvotes: 1
Related Questions
- How to share JWT Tokens across Multiple Applications (Web / Mobile) when using identity server 3.0 and oAuth 2.0
- OpenID Sharing Id Token with multiple clients
- Can I create an Identity Server 4 ASP.NET Core API using 2 different token authentication middleware?
- Is it possible to have multiple valid access tokens with the same client credentials?
- IdentityServer - multiple OAuth servers with compatible tokens?
- Reusing IdentityServer3 refresh tokens in IdentityServer4
- IdentityServer4 Multiple API access, single token
- Single use access token?
- identityserver3 - can an access token issued by one id server be used with another id server?
- How to send user identity across servers using mule esb?