I implement SSO to integrate some web login mechanism to the centralized member system which is OAuth2 provider. And currently OAuth2 authorization works well.
However, I would like to implement much more smooth login methods by AJAX call. For example, user logged in web A and member system already. When user navigate to web B, the web B should call AJAX to member system to see whether user logged in or not? If user logged in, the web B should show user the logged in page.
I have studied some of OAuth2 article (I cannot find link now). They all do SSO by redirect to OAuth provider directly. However, I would like to use CORS AJAX call because it could provide better UX.
I read another discussion about the risk of CORS and SSO: Designing single-sign-on with JSONP/CORS?
But I cannot understand the selected answer.
There must be a control in place to prevent a malicious JavaScript client from falsifying interactions with the authorization server. If the URL is supplied as an argument within a CORS Ajax request, rather then checking the HTTP origin header, then a malicious client is permitted to lie about it's context.
The URL could be verified by CORS header Origin.
My opinion is that if OAuth2 Provider set CORS Origin correctly, it should be fine to support CORS AJAX login mechanism. Because cookie and CORS cannot access by cross domain and violate CORS Origin strategy, it would not suffer CSRF attack. Only need to worry about XSS.
I am not very confident about my opinions, that's why I post here. If you have any advise or find my error, please let me know.
[Update More Detail]
In member system, I would define CORS settings like this
app.use(cors({
origin: ["http://weba.com", "http://webb.com"],
credentials: true,
methods: ['GET', 'POST']
}))
app.get('/sniff', (req, res)=>{
if(req.session.user){ res.send("user login")}
else res.send("not login yet")
})
In the webA,
xhr.withCredential = true
xhr.open("GET","http://member.com/sniff") => I can tell if user login or not.