0

I am looking for a solution for my client to access our application with out actually logging in to our application (from user point of view).

Here is the flow.

  1. Users logs in to client application APP1.

  2. User click a link in APP1, that should take user to our application APP2.

  3. APP2 Should validate user details, if user not available in our database create user and forward to requested resource. Note that at this point there is no APP1, APP2 would take over the UI.

  4. User can click a link in APP2 that should take user back to APP1.

Can we achieve this using OAuth? All the implementations i have seen is like, User will have account in both apps, and on click of a link APP2 would provide an authorization mechanism. Once authorized APP1 request resources from APP2.

Our app is based on Java/Spring. And I do not have any control over APP1.

titogeo
  • 1,985
  • 1
  • 25
  • 37
  • Check this link: http://stackoverflow.com/questions/1087031/whats-the-difference-between-openid-and-oauth – home Jan 16 '13 at 08:17
  • AS per my experience with OAuth, you need account in both apps and user has to login both apps as per requirement. User actually will redirect to only apps login page and then again come back to your page but at least for OAuth validation you need account on both apps. – Manoj Kathiriya Jan 16 '13 at 08:17
  • For 'real' single-sign-on you might want to look at SAML (identity propagation). – home Jan 16 '13 at 08:23
  • @ManojKathiriya Suppose if i can create users in backend, can i take over the UI from APP1. Is it possible by Oauth? then i need to go back. – titogeo Jan 16 '13 at 08:29

1 Answers1

0

Approach 1 (complex)

APP2 will implement OAuth Server APP1 will implement Authentication & Authorization based on the token generated by APP2 after succesfull authentication and confirmation by user providing access to APP1

Approach 2

Implement Single-Sign-On

where APP2 adds a Authentication&Authorization Header to request APP1 will always looks for that Header before processing a request, on absence of such header redirects user to APP2 authentication screen with redirect_url as parameter.

TheWhiteRabbit
  • 14,280
  • 4
  • 30
  • 57
  • For SSO, both parties should agree, right? APP1 is an independent system, APP2 (ours) act as a plugin to them, some value added services. – titogeo Jan 16 '13 at 08:37
  • In that case , APP2 should generate and maintain a token which APP1 should supply for subsequent interactions.APP2 can verify the same and pass the request – TheWhiteRabbit Jan 16 '13 at 08:46