I’m thinking of creating an Auth server that sits on top of Cognito that manages the user session for my various applications spread across distinct domains. The goal being a Single Sign-On experience so that if you sign in via domain A, domains B and C will share that same session.
This would be accomplished by redirecting to the Auth server for sign-in, which redirects in turn to Cognito. Upon successful authentication, Cognito redirects to the Auth server which is able to grab and stick the refresh token into a secure httponly cookie. Finally the Auth server redirects to the domain that requested login with an access and id token (if applicable).
Once authenticated, a request from any of the domains (enforced via CORs) can be used to get an access token for the server side APIs, to get user info, tenant info, etc. all without explicitly sending any tokens to the Auth server itself. This permits silent logins from all the domains from within the same browser so long as the refresh token is valid.
Cognito signs the JWTs with a secret key, so it would be very difficult to forge a JWT.
Would this be a safe way to handle access tokens while providing a seamless SSO experience across multiple domains? Are there any security problems I should look out for with such an architecture? Is there a better way to do it?
Thanks!
Security Considerations:
Cookie Security:
Secureflag and proper SameSite settings.Token Validation:
CORS:
Token Expiry and Refresh:
Error Handling and Logging:
Alternatives and Best Practices:
OAuth 2.0 and OIDC:
Federated Identity and SSO Providers:
Multi-Factor Authentication (MFA):
Continuous Monitoring and Security Audits:
In summary, while your architecture can provide seamless SSO, ensure to implement these security measures and consider leveraging established standards and managed solutions for enhanced security, scalability, and reliability.