I need help on a solution for below scenario from a security perspective.
Scenario:
There are two independent web applications App1 and App2. User will log in to App1 by performing authentication demanded by App1. Once authenticated, the user will find a hyperlink to access App2. On click of the hyperlink, App1 will pass the minimum parameters required for session creation (user-id) to App2. User should be logged into App2 in a ’new tab’ on behalf of passed 'user-id’.
Current approach:
By means of asymmetric cryptography, App1 will have a key-pair. App1 creates a JWT token (embedding ‘App2 user-id’) as part of initial handshake with a JWT expiry and post it to App2. App2 verifies the JWT signature of App1 and checks for the JWT expiry. On success, App2 continues to create a session for the user in a 'new tab’.
Problem:
Although the JWT is sent over https, it's not opaque during transit. While secrecy being an issue, what are the other security risks in the current approach? What could be a better authentication handshake, as opposed to the aforementioned process?
Thanks in advance.
