I'm thinking about creating sso web apps using Keycloak by Authorization code Grant flow(OIDC) like the link below.
https://auth0.com/blog/what-is-and-how-does-single-sign-on-work/
As TYPICAL SSO flow in Auth0 explains, the first time a user accesses to domain1.com, the user is required to input login form. After the login success, when the user accesses to domain2.dom, the user doesn't have to type any information because the user has already logged in to Auth Server(in my case Keycloak) and the user can get an id token for the authentication without a user login action. I think that's how I can make my web apps single-sign-on to each other.
However, what I'm wondering is that the apps always have to access to Auth Server to get the new id token. By doing this, I can always get the new tokens and I don't have to care about tokens expiry, but as you imagine, the network cost will be high.
To avoid the network traffic, I was going to think about creating a new session for each web application after they can get tokens so that each app will not access to Auth Server every time, but in this case, when one of the apps log out, the other app session still remains because that session is created by every app.
Does anyone have any idea or suggestions for how to maintain user session in this case?
Aucun commentaire:
Enregistrer un commentaire