OAuth2 System Design for Single Sign-On | Auto-Detect Session?
I'm working on configuring my suite of services (in different domains) so that they can all be accessed via Single Sign-On. I'm using AWS Cognito as a wrapper around a SAML Idp (Azure AD).
What I would like to figure out is: how can I make each of my applications automatically detect the user's active session in a secure manner? IE: I don't want to request that the user login to domain B if there is an active session that was initiated from domain A.
Since Cognito doesn't seem to provide any endpoint to determine if there is an existing session, I'm thinking the solution would probably consist of setting up a common Auth / Token server that sits in front of Cognito that all of my various services go through for authentication. When a user initially logs in, they are first re-directed to the Auth server which redirects them to Cognito and then to the Idp for the credentials. Then everything re-directs to the respective login callback of the previous server in the chain as usual. The Auth server caches the refresh token as part of the user session in a secure httponly cookie and is responsible for issuing access tokens to the various services.
Subsequent applications that are visited would be able to check with the Auth service if the user is already logged in and, if so, be able to request id + access tokens without further ado. Of course, access to the Auth service would itself need to be protected so that only requests from valid domains can get id + access tokens.
Is this a valid approach, or is there a better solution? In either case, is there some good documentation out there describing such an architecture and the security pitfalls to watch out for while implementing it?
Using CORs looks promising to control which domains can communicate with the Auth server. Would there be any problems with the Auth server issuing tokens to select domains over a public API endpoint? Only issuing said token if the user is authenticated already of course.
