There are many guys require to settle cross-domain token, but all most all reply is it not gonna happen, please change your mind.
Trust me, it easy to make it happen, just follow my step, this proposal will show you something brand new.
- prohibit users to share the link to someone else;
- always can get the user token or the userId, whatever the user link to which domain;
- use fingerprint2 to identify the user's device
- in order to increase the probability of detection that device as unique, get the user's IP is required.
- set up a database to store the login record(lowdb.js is my choice)
- when a user login one of your app, you insert a record to the database, like { authId, IP, fingerprint,jwtToken }
- when a user needs to check the auth status, you can search the database, match this user's { authId, IP, fingerprint }
- a user shared a link to a man who has the same fingerprint info, that will be leaked information ( I assert just a few people have the same fingerprint info)
- users can share the link / authId / fingerprint info with other people(I just can say someone can share their account and password with other people, how can you stop it)
- after the oauth action, you have got the userId
- post the data { userId, fingerprint } to the login api, that will return a authId and the token
- store the authId in localstorage
- if there is a sensitive operation, please check the auth first, make sure the auth status is all right, otherwise make it login again
- post the data { fingerprint } to the check api, that will return a userId and the jwtToken
- or just take the authId from token in headers
- if it is not a legal user, the api will return false
- remove the authId and the token in localstorage
- post the data { authId } to the logout api, that will return true.
- or just take the authId from token in headers
- the href should be xxx.com?authId=:authId
- store the authId in localstorage
- post the data { authId, fingerprint } to the check api, that will return a userId
- you can see, when a user stays in your app have the userId, it can assert it as a legal user.
- post the userId to your access center server to check the user's auth
- post the userId to your user center server to get user profile
- use the jwtToken to require api what you need.