Best way to login automatically between intranet sites?

We have a web shop and a web app (think Wordpress-hosting-like situation) on the same intranet, and would like to create an automatic login between these sites, that is, click “Go to web app” should automatically login if you’re already logged in on the web shop, and the other way around.

One complicating aspect is that the web app has its own user management system, and can add additional users without verifying email. The only unique guarantee is the combination of web app id and user id on that system.

One idea we have is to use Redis as a shared secret storage, and use a temporary shared secret to encode a JWT, and then redirect using JWT in the header. We would need to write authentication plugins to the shop system and the web app to make this work, but that shouldn’t be too hard.

Any other approaches that are recommended? Migrating the entire user base to a central IdP has been thought of but deemed pretty complex and hard.

22:10 < CeBe> olle: oauth is not very complicated if you only want to implement SSO with it
22:10 < CeBe> you can do much more fancy stuff with permission on data etc, but you can skip that if you only need SSO
22:12 < CeBe> SSO flow in Oauth means: when an application wants to log in a user, it redirects user to oauth provider, user gets logged in there and is redirected back to the application
with a token. the application then checks if the token is valid via an api call. all done.
22:12 < CeBe> Yii has support for the client side of that out of the box
22:13 < CeBe> we also implmented the server side on yiiframework.com to have sso with the forum, so you could check the website code on how that is done.