Is it possible to re-use access token at multiple server - IdentityServer4
up vote
1
down vote
favorite
Currently, we are building a web-based application, and we have web-server and we have application server host our resources. Also we will use Mule ESB to be able to use any web-service or api. And we will have Alfresco DMS solution and we will use alfresco service with Mule ESB .
We are investigating how we can implement SSO approach for this scenario. We have already IdentityServer4 for identity federation. It issues access token for client, and we need to authenticate the user whenever the user at the Mule ESB side without asking user the credentials again.
According to my researches, external Identiy provide can be added on Mule ESB. The thing we do not is that can the access token issued the cliet while user logging into application server be passed to Mule ESB and Mule ESB can validate the access token before
Actually, the question that we are looking for answer is that is it possible issue client an access token only for once, then validate this token in each side (Mule ESB, Alfresco) without asking user to enter the credentials again and again.
token identityserver4 access openid-connect mule-esb
asked Nov 8 at 19:30
Mert Atasoy
61
add a comment |
up vote
1
down vote
favorite
Currently, we are building a web-based application, and we have web-server and we have application server host our resources. Also we will use Mule ESB to be able to use any web-service or api. And we will have Alfresco DMS solution and we will use alfresco service with Mule ESB .
We are investigating how we can implement SSO approach for this scenario. We have already IdentityServer4 for identity federation. It issues access token for client, and we need to authenticate the user whenever the user at the Mule ESB side without asking user the credentials again.
According to my researches, external Identiy provide can be added on Mule ESB. The thing we do not is that can the access token issued the cliet while user logging into application server be passed to Mule ESB and Mule ESB can validate the access token before
Actually, the question that we are looking for answer is that is it possible issue client an access token only for once, then validate this token in each side (Mule ESB, Alfresco) without asking user to enter the credentials again and again.
token identityserver4 access openid-connect mule-esb
asked Nov 8 at 19:30
Mert Atasoy
61
Welcome to Stack Overflow. You have explained your question clearly. One question, does EDB connect multiple APIs which maintained by you ?
– Kavindu Dodanduwa
Nov 9 at 5:43
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Currently, we are building a web-based application, and we have web-server and we have application server host our resources. Also we will use Mule ESB to be able to use any web-service or api. And we will have Alfresco DMS solution and we will use alfresco service with Mule ESB .
We are investigating how we can implement SSO approach for this scenario. We have already IdentityServer4 for identity federation. It issues access token for client, and we need to authenticate the user whenever the user at the Mule ESB side without asking user the credentials again.
According to my researches, external Identiy provide can be added on Mule ESB. The thing we do not is that can the access token issued the cliet while user logging into application server be passed to Mule ESB and Mule ESB can validate the access token before
Actually, the question that we are looking for answer is that is it possible issue client an access token only for once, then validate this token in each side (Mule ESB, Alfresco) without asking user to enter the credentials again and again.
token identityserver4 access openid-connect mule-esb
asked Nov 8 at 19:30
Mert Atasoy
61
Currently, we are building a web-based application, and we have web-server and we have application server host our resources. Also we will use Mule ESB to be able to use any web-service or api. And we will have Alfresco DMS solution and we will use alfresco service with Mule ESB .
We are investigating how we can implement SSO approach for this scenario. We have already IdentityServer4 for identity federation. It issues access token for client, and we need to authenticate the user whenever the user at the Mule ESB side without asking user the credentials again.
According to my researches, external Identiy provide can be added on Mule ESB. The thing we do not is that can the access token issued the cliet while user logging into application server be passed to Mule ESB and Mule ESB can validate the access token before
Actually, the question that we are looking for answer is that is it possible issue client an access token only for once, then validate this token in each side (Mule ESB, Alfresco) without asking user to enter the credentials again and again.
token identityserver4 access openid-connect mule-esb
token identityserver4 access openid-connect mule-esb
asked Nov 8 at 19:30
Mert Atasoy
61
asked Nov 8 at 19:30
Mert Atasoy
61
asked Nov 8 at 19:30
Mert Atasoy
61
asked Nov 8 at 19:30
Mert Atasoy
61
asked Nov 8 at 19:30
Mert Atasoy
61
61
Welcome to Stack Overflow. You have explained your question clearly. One question, does EDB connect multiple APIs which maintained by you ?
– Kavindu Dodanduwa
Nov 9 at 5:43
add a comment |
Welcome to Stack Overflow. You have explained your question clearly. One question, does EDB connect multiple APIs which maintained by you ?
– Kavindu Dodanduwa
Nov 9 at 5:43
Welcome to Stack Overflow. You have explained your question clearly. One question, does EDB connect multiple APIs which maintained by you ?
– Kavindu Dodanduwa
Nov 9 at 5:43
Welcome to Stack Overflow. You have explained your question clearly. One question, does EDB connect multiple APIs which maintained by you ?
– Kavindu Dodanduwa
Nov 9 at 5:43
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
Using access token for multiple applications is not recommended. This is highlighted through this and this resources. Basically scope of the access token must be restricted. This is to precent access token being misused.
In your scenario, you have multiple applications. If you goal is to use one access token shared across all of them, I suggest not to do that. Instead, you may use single access token against multiple APIs given that you request access tokens with such scope. For example, APIs in ESB can be designed to accept access tokes if scope allowed to do so (scope can be validated from API endpoint through token introspection). But allow each client app to obtain their own tokens. This make your architecture more secure.
One solution for SSO is to allow browser based SSO. Identity providers maintain a session in the browser. So if one of your client go through a login, your next client will use that previous session to skip the login page. This is essentially a SSO behavior. For example this is what allows you to use Gmail, Youtube and Google Drive with single login. Browser maintain a session with Google. Each app obtain tokens, but skipping login page.
answered Nov 9 at 5:40
Kavindu Dodanduwa
5,42111230
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Using access token for multiple applications is not recommended. This is highlighted through this and this resources. Basically scope of the access token must be restricted. This is to precent access token being misused.
In your scenario, you have multiple applications. If you goal is to use one access token shared across all of them, I suggest not to do that. Instead, you may use single access token against multiple APIs given that you request access tokens with such scope. For example, APIs in ESB can be designed to accept access tokes if scope allowed to do so (scope can be validated from API endpoint through token introspection). But allow each client app to obtain their own tokens. This make your architecture more secure.
One solution for SSO is to allow browser based SSO. Identity providers maintain a session in the browser. So if one of your client go through a login, your next client will use that previous session to skip the login page. This is essentially a SSO behavior. For example this is what allows you to use Gmail, Youtube and Google Drive with single login. Browser maintain a session with Google. Each app obtain tokens, but skipping login page.
answered Nov 9 at 5:40
Kavindu Dodanduwa
5,42111230
add a comment |
up vote
1
down vote
Using access token for multiple applications is not recommended. This is highlighted through this and this resources. Basically scope of the access token must be restricted. This is to precent access token being misused.
In your scenario, you have multiple applications. If you goal is to use one access token shared across all of them, I suggest not to do that. Instead, you may use single access token against multiple APIs given that you request access tokens with such scope. For example, APIs in ESB can be designed to accept access tokes if scope allowed to do so (scope can be validated from API endpoint through token introspection). But allow each client app to obtain their own tokens. This make your architecture more secure.
One solution for SSO is to allow browser based SSO. Identity providers maintain a session in the browser. So if one of your client go through a login, your next client will use that previous session to skip the login page. This is essentially a SSO behavior. For example this is what allows you to use Gmail, Youtube and Google Drive with single login. Browser maintain a session with Google. Each app obtain tokens, but skipping login page.
answered Nov 9 at 5:40
Kavindu Dodanduwa
5,42111230
add a comment |
up vote
1
down vote
up vote
1
down vote
Using access token for multiple applications is not recommended. This is highlighted through this and this resources. Basically scope of the access token must be restricted. This is to precent access token being misused.
In your scenario, you have multiple applications. If you goal is to use one access token shared across all of them, I suggest not to do that. Instead, you may use single access token against multiple APIs given that you request access tokens with such scope. For example, APIs in ESB can be designed to accept access tokes if scope allowed to do so (scope can be validated from API endpoint through token introspection). But allow each client app to obtain their own tokens. This make your architecture more secure.
One solution for SSO is to allow browser based SSO. Identity providers maintain a session in the browser. So if one of your client go through a login, your next client will use that previous session to skip the login page. This is essentially a SSO behavior. For example this is what allows you to use Gmail, Youtube and Google Drive with single login. Browser maintain a session with Google. Each app obtain tokens, but skipping login page.
answered Nov 9 at 5:40
Kavindu Dodanduwa
5,42111230
Using access token for multiple applications is not recommended. This is highlighted through this and this resources. Basically scope of the access token must be restricted. This is to precent access token being misused.
In your scenario, you have multiple applications. If you goal is to use one access token shared across all of them, I suggest not to do that. Instead, you may use single access token against multiple APIs given that you request access tokens with such scope. For example, APIs in ESB can be designed to accept access tokes if scope allowed to do so (scope can be validated from API endpoint through token introspection). But allow each client app to obtain their own tokens. This make your architecture more secure.
One solution for SSO is to allow browser based SSO. Identity providers maintain a session in the browser. So if one of your client go through a login, your next client will use that previous session to skip the login page. This is essentially a SSO behavior. For example this is what allows you to use Gmail, Youtube and Google Drive with single login. Browser maintain a session with Google. Each app obtain tokens, but skipping login page.
answered Nov 9 at 5:40
Kavindu Dodanduwa
5,42111230
edited 2 days ago
answered Nov 9 at 5:40
Kavindu Dodanduwa
5,42111230
answered Nov 9 at 5:40
Kavindu Dodanduwa
5,42111230
answered Nov 9 at 5:40
Kavindu Dodanduwa
5,42111230
5,42111230
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53214867%2fis-it-possible-to-re-use-access-token-at-multiple-server-identityserver4%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Welcome to Stack Overflow. You have explained your question clearly. One question, does EDB connect multiple APIs which maintained by you ?
– Kavindu Dodanduwa
Nov 9 at 5:43