SSO在Typo3多站点中
大家早上好。 我在同一个 TYPO3 实例上有两个具有不同域和共享前端用户的站点。创建 SSO 并确保登录第一个站点的用户在打开第二个站点时已经登录的最佳解决方案是什么? 我尝试使用 [SYS][cookieDomain] 但我认为它在不同的域中不起作用或者我做错了什么?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
HI SSO通常由于浏览器证券限制而变得更加复杂,并且在Typo3空间中没有常见的解决方案。
但是首先,关于cookie和浏览器安全的一些基础技术背景:
当您登录到网站时,服务器将递给您cookie(以识别您的SESION)。
但是,由于这些信息是Securty Relvant,只有浏览器将Cookie域仅发送回同一站点。 ,my-site.com不能 set 或 read typo3.org的cookie
因此,如果您的两个网站都共享一个常见的“ parent”,例如shop.example.com和news 。但是浏览器将拒绝为完全不同的域设置的cookie。
在我们建立了这些基础知识之后,如果Cookie无法跨越域边界,那么SSO如何工作。 USUALL有一个“集中”的身份验证提供商。在我们的示例中,Letzt称其为一个my-auth.com。
如果您想登录my-other-site.com,幕后发生的事情是您的浏览器将重定向到my-auth.com,并描述SSO的oringin recrect reculter。 (然后您在此执行登录名,或使用现有会话),然后将其重定向到my-other-site.com(带有参数以识别帐户),然后my-other-site.com创建新闻节(cookie) )带有该帐户信息。
如果您想给用户感觉自己只是“神奇地”登录的感觉。您需要一些JavaScript代码,这些代码可以使wiht my-auth.com(浏览器添加my-auth.com的会话cookie),以便您可以检查如果存在与my-aut.com进行的会话。然后根据结果创建本地会话。
如您所见,该过程更加复杂。有一些“标准”(每个供应商都会实现一些不同),但可以帮助您使用SSO。像 oauth oder OpenID 如果您查看 typo3扩展存储库或 packagist.org 您必须为自己的自我尝试使用一些OAUTH软件包,它们符合您的要求。
OAuth和Open ID是[Facebook / google / github / ...]按钮的所有登录之后的技术。
Hi SSO in general is a bit more complicated because of browser securty restrictions and there is no Common solution in the TYPO3 space.
but first of some basics technical background about cookies and browser security:
when you login to a website the server hands you a cookie (to identify your sesion).
but as these information are securty relvant only the browser sends the cookie domain only back to the same site. so my-site.com can not set or read a cookie for typo3.org
if both of your sites share a common "parent" like shop.example.com and news.example.com you can simply set
[SYS][cookieDomain]='example.com'this is within the browser securty framework so all subdomains get the session cookie. but the browser will reject cookies set for a totally different domains.after we have established these basics how does SSO then work if cookies can't cross domain boundaries. usuall there is a "centralized" authentcation provider. letzt call that one my-auth.com in our example.
if you want to log into my-other-site.com what happens behind the scenes is your browser is redirect to my-auth.com with paramters describing the oringin of the SSO Requet. (and you perform a login there, or use an existing session) and then get redirected to my-other-site.com (with paramters to to identify the account) and then my-other-site.com creates a news session (cookie) with that account information.
if you want give the user the feeling that they are just "magically" logged in. you need some Javascript code which comunicates wiht my-auth.com (the browser will add the session cookie of my-auth.com) so you can check if a session with my-auth.com exists. and then create a local session based on the result.
as you see the process is a bit more complex. there are some "standards" (which every vendor implements a bit different) but help you with SSO. like OAuth oder OpenID if you look at the TYPO3 Extension Repository or packagist.org there are some OAuth Packages availible you have to try for your self it they fit your requirements.
Oauth and Open ID are the technologies behind all the login in with [facebook / gooogle / github / ...] buttons.