I have multiple Laravel Apps, all with their own user tables and roles tables. I want to implement single sign-on so a user can sign in once and then access all the apps without signing in again. I have set up an Authentication Server using Laravel Passport and created a test client app to start testing. I have added all the users who have access to my apps to the users table in the Authentication Server. I have set up a login redirect from my test client that passes my client ID and secret to the auth server and allows the user to log in. I have bypassed the authorisation step. This is as far as I have gone. I think my next step is to use the returned token to check authentication and then find the local user and log them in.
What I can’t seem to get my head around is that when I add a new client (app), visit that app, how does the authentication server know what user is requesting authentication, as I should not have to enter my credentials again?
This is the first time I have implemented single sign-on on and I think I just need to understand once a user has authenticated with the authentication server how subsequent logins from different clients work. Any help would be gratefully received.
What I can’t seem to get my head around is that when I add a new client (app), visit that app, how does the authentication server know what user is requesting authentication as I should not have to enter my credentials again?
It uses cookies to remember the 'session' like any other website.
Web SSO (be it OAuth or SAML or proprietary) always involves the app redirecting the user's browser to the IdP, and therefore the user visiting some URL at the IdP – which receives cookies if any, sets new cookies if necessary, and either displays a login screen or silently redirects right back to the app (sending an authentication token either way).
Use your browser's "DevTools" Network tab to see the redirects and requests being made.