I was asked to design and implement a solution that I have some security concerns about.
- The customer has a web application into which users log in using their credentials.
- The customer wants to add a button in that application which should redirect their users to my web application (that is the 'fake SSO' part, i.e. if they logged in their web app, they are 'secure & trusted')
- The HTTPS request will contain the user ID and password
- I should allow access to my web app based on this user ID and password
Up to here it seems pretty standard, like a basic authentication.
HOWEVER:
- If the user account does not exist in my app, it has to be created with some permissions assigned to it (based on the request) and then the user should be logged in.
To me this seems like a way in for everybody to access my web app.
What options do I have validate whether the 'log in' request comes indeed from the 'trusted' web app?
I was thinking about validating the referrer URL as a first step, but that can probably be easily faked.
What more can I do, possibly with smallest effort on the customer's web app side?
