Shulou(Shulou.com)05/31 Report--

This article mainly explains "NodeJS how to achieve single sign-on", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "NodeJS how to achieve single sign-on" bar!

What is single sign-on?

With the increase of the company's business, it is bound to produce different systems, and it will be very inconvenient if each system needs to log in separately.

As a result, single sign-on solution comes into being, single sign-on full name Single Sign On, referred to as SSO, which means that if you log on to one system in multiple system application groups, you can be authorized in all other systems without logging in again.

For example, Xiaoming logged on to Taobao today. If he did not log in, he would be required to enter authentication information (user name, password, etc.). After logging in, he would not need to log in to visit Tmall's page.

Single sign-on principle

SSO needs an independent authentication center, only the independent authentication center can accept users' user names and passwords and other security information, other systems do not provide login entry, only accept the indirect authorization of the authentication center. The whole process can be simply described with the figure above:

When the user logs in and accesses application A, application A discovers that the user is not logged in, jumps to SSO authentication center, and uses his address as a parameter to facilitate callback

SSO Certification Center discovers that the user has not logged in and guides the user to the login page; the user fills in the username and password to submit a login application; SSO Certification Center verifies the user's information and creates a session of the user's rain SSO Authentication Authority (which saves the information to cookie), and creates an authorization token token

Sso Certification Authority jumps to the original request address with a token (Application A)

Apply A to get the token and go to SSO Certification Authority to verify whether it is valid. If valid registration is returned, Application A

Use A to create a session with the user, show the resources and maintain the user login state

When the user visits Application B, he finds that the user is not logged in (the SSO authentication server is not in the same domain as Application An Application B and cannot provide login status), jumps to SSO authentication center, and brings his address and cookie information of previous conversation with SSO authentication center into

SSO Certification Authority discovers that the user is logged in, jumps back to the application B address and appends token token

The same application B gets the token and goes to SSO Certification Authority to verify whether it is valid. If you return valid registration application B,

Apply B to create a session with the user, show the resources and maintain the user login state

NodeJS demonstrates three different services

Here we need to start three services to simulate the application of A _ Magi SSO authentication server and application B respectively.

Here the service of port number 8383 is the SSO authentication server, and the rest: 8686 and: 8787 represent application An and application B, respectively.

In fact, the code of application An is almost the same as that of application B. as shown in the figure above, we can set different ports and application names by passing parameters.

Let's take a look at the effect first.

The first access jumps to the login page, applies A to determine the login status, and jumps to the SSO authentication server.

Application A

Const Koa=require ('koa'); const Router=require (' koa-router') const views=require ('koa-views') const static=require (' koa-static') const path=require ('path'); const app=new Koa (); const router=new Router (); const session=require (' koa-session') const koa2Req=require ('koa2-request') / / template engine-related configuration app.use (views (path.join (_ _ dirname,'./views')), {extension:'ejs'}) app.keys= ['key'] const keyMap= {' 8686VOVA VOLARO Sess8686AT, '8787VRO KoaVOSA Sess8787'} const CONFIG= {key:keyMap [process.env.PORT] | |' koa:sess', maxAge:1000*60*60*24, httpOnly:true} app.use (session (CONFIG) App) const system=process.env.SERVER_NAMErouter.get ("/", async (ctx) = > {/ / determine the login status of application A by session let user=ctx.session.user if (user) {/ /...} else / / 1, when the user logs in to access application A. Application A found that the user was not logged in (because the server did not save the corresponding session) {let token=ctx.query.token / / the first login url will not have a token if (! token) {/ / 1, Jump to SSO authentication server ctx.redirect (`http://localhost:8383/login?redirectUrl=${ctx.host+ctx.originalUrl}`)} else {/ /...}) app.use (router.routes ()) const port=process.env.PORT | | 8888app.listen (port) () = > {console.log (`app ${system} running at ${port} `)) Authentication server determines login status Render the landing page

Authentication server SSO

The directory structure of the authentication server mainly deals with two functions, one is login logic, the other is to verify the validity of tokens, which have routing login.js and check-token.js processing respectively.

Auth/index.js

Const Koa=require ('koa'); const Router=require (' koa-router') const views=require ('koa-views') const path=require (' path'); const app=new Koa (); const router=new Router () Const login=require (". / routes/login") const checkToken=require ('. / routes/check-token') const bodyparser=require ('koa-bodyparser') app.use (views (path.join (_ _ dirname,'./views')), {extension:'ejs'}) app.use (bodyparser ()) / / logical router.use (' / login',login.routes ()) / / logical router.use ('/ check_token') dealing with token verification CheckToken.routes () app.use (router.routes ()) app.listen (8383, () = > {console.log (`app listen at 8383`)})

Just now we jumped from Application A to http://localhost:8383/login?redirectUrl=localhost:8686 to look at the logic in login.

Auth/routes/login.js

Const service = require (".. / service"); const router=require ("koa-router") () router.get ('/', async (ctx) = > {const cookies=ctx.cookies; const token=cookies.get ('token'); / / determine the login state of application An if (token & & service.isTokenVailid (token)) {/ / from cookie. If you have logged in} else {/ / 2, SSO authentication authority found that the user has not logged in, so the login page is rendered; await ctx.render ('login.ejs', {extension:'ejs'})}) / /. No, no, no. Module.exports=router

Login page

Auth/views/login.ejs

Unified login user name: password verifies user information and creates tokens

Auth/routes/login.js

Router.post ('/', async (ctx) = > {/ / 2, user fill in username and password to submit login application; const body=ctx.request.body; const {name,password} = body / / 2. SSO Authentication Authority verifies user information, if (name=== "admin" & & password=== "123456") {/ / 2, create a session of user rain SSO Authentication Authority (in this case, the information will be saved to cookie), and create an authorization token token const token= "passport". Await ctx.cookies.set ('token',token, {maxAge:1000*60*60*24*30 HttpOnly:true}) if (ctx.query.redirectUrl) {/ / 3, With the token, sso Certification Authority jumps to the original request address (Application A) ctx.redirect (`${ctx.protocol}: / / ${ctx.query.redirectUrl}? token=$ {token}`) / / the rebound address is http://localhost:8686/?token=passport} else {ctx.body= "login successful!" }} else {ctx.response.body= {error:1, msg:' username or password error'}}) Jump from authentication server to return resources for applying A token verification

Application A

App.use (views (path.join (_ _ dirname,'./views')), {extension:'ejs'}) /... const system=process.env.SERVER_NAMErouter.get ("/" Async (ctx) = > {let user=ctx.session.user if (user) {/ /} else / / Application An is still not logged in, but there is a token http://localhost:8686/?token=passport {let token=ctx.query.token if (! token) {/ / on url. Jump to the SSO login page} else / / when jumping back to App A, go to the logic {/ / ajax request 4. Apply A to get the token and go to SSO Certification Authority to verify whether it is valid. If you return a valid registration application A const url= `: / / localhost:8383/check_token?token=$ {token} & tweak ${new Date (). GetTime ()} `let data = await koa2Req (ctx.protocol + url) If (data & & data.body) {try {const body=JSON.parse (data.body) const {error,userId} = body / / console.log (error,userId) 0 admin if (error==0) {if (! userId) {ctx.redirect (`http://localhost:8383/login?redirectUrl=${ctx.host+ctx.originalUrl}`) return} / / register session after verification is passed Render the page / / 5. Use A to create a session with the user, show the resources and maintain the user login state ctx.session.user=userId Await ctx.render ('index.ejs', {user:userId System})} else {ctx.redirect (`http://localhost:8383/login?redirectUrl=${ctx.host+ctx.originalUrl}`)}} catch (error) {console.log (error)}) app .use (router.routes ()) const port=process.env.PORT | | 8888app.listen (port) () = > {console.log (`app ${system} running at ${port} `)})

Logic for handling authentication tokens in the corresponding SSO

Auth/routes/check-token

Const router=require ("koa-router") () const service=require (".. / service") router.get ('/', async (ctx) = > {const token=ctx.query.token; const result= {error:1} / / if (service.isTokenVailid (token)) {result.error=0; result.userId='admin'} ctx.body=result} when token is password) module.exports=router

Auth/service/index.js

Module.exports= {isTokenVailid: function (token) {if (token & & token==='passport') {return true} return false}}

At this point, the user has been able to access the application Aspire SSO server and the application A server has the information that the user has logged in.

Access App B to jump to SSO authentication server with cookie

Application B

/ /... router.get ("/", async (ctx) = > {let user=ctx.session.user if (user) {/ /...} else {let token=ctx.query.token / /. If (! token) {/ / also has neither session nor token, jump to SSO authentication server / / 6. When users visit application B, they find that the user is not logged in (SSO authentication server and application B are not in the same domain and cannot provide login status), jump to SSO authentication center And bring your address and cookie information from previous conversations with SSO Certification Authority to ctx.redirect (`http://localhost:8383/login?redirectUrl=${ctx.host+ctx.originalUrl}`)} else {/ /. No, no, no. Verify part of the token}) app.use (router.routes ()) const port=process.env.PORT | | 8888app.listen (port, () = > {console.log (`app ${system} running at ${port} `)}) Jump the token from the authentication server back to application B

SSO authentication server with cookie when logging in again, so the login page Auth/routes/login will not be requested again

/ /... router.get ('/', async (ctx) = > {const cookies=ctx.cookies; const token=cookies.get ('token'); / / 7. SSO Certification Center discovers that the user is logged in, jumps back to the application B address and attaches token token if (token & & service.isTokenVailid (token)) {const redirectUrl=ctx.query.redirectUrl If (redirectUrl) {/ / jump back to application B ctx.redirect with token (`${ctx.protocol}: / / ${redirectUrl}? token=$ {token}`)} else {ctx.body= "login successful!" }} else {/ /... Render login page}}) / /.. Token verification returns resources

The logic here is the same as the five and six steps. Because token is easy to forge, it is necessary to verify whether it is true or false. Application B

App.use (views (path.join (_ _ dirname,'./views')), {extension:'ejs'}) /... const system=process.env.SERVER_NAMErouter.get ("/" Async (ctx) = > {let user=ctx.session.user if (user) {/ /} else / / App B is still not logged in, but there is a token http://localhost:8787/?token=passport {let token=ctx.query.token if (! token) {/ / on url. Jump to the SSO login page} else / / when jumping back to Application B, follow the logic {/ / ajax request 8. The same application B gets the token and goes to SSO Certification Authority to verify whether it is valid. If you return valid registration application B const url= `: / / localhost:8383/check_token?token=$ {token} & tweak ${new Date (). GetTime ()} `let data = await koa2Req (ctx.protocol + url) If (data & & data.body) {try {const body=JSON.parse (data.body) const {error,userId} = body / / console.log (error,userId) 0 admin if (error==0) {if (! userId) {ctx.redirect (`http://localhost:8383/login?redirectUrl=${ctx.host+ctx.originalUrl}`) return} / / register session after verification is passed Render the page / / 9. Apply B to create a session with the user, show the resources and maintain the user login state ctx.session.user=userId Await ctx.render ('index.ejs', {user:userId System})} else {ctx.redirect (`http://localhost:8383/login?redirectUrl=${ctx.host+ctx.originalUrl}`)}} catch (error) {console.log (error)}) app .use (router.routes ()) const port=process.env.PORT | | 8888app.listen (port) () = > {console.log (`app ${system} running at ${port} `)})

At this point, most of the logic of single sign-on has been completed. After visiting the page within the validity period of session, you no longer need to log in and return to the resources directly.

Router.get ("/", async (ctx) = > {/ / if you have user information in session, please return the request resource let user=ctx.session.user if (user) {await ctx.render ('index.ejs', {user, system})} / /.}) Thank you for your reading The above is the content of "how to achieve single sign-on in NodeJS". After the study of this article, I believe you have a deeper understanding of how to achieve single sign-on in NodeJS, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.