buzzfeed / sso

sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services
MIT License
3.1k stars 186 forks source link

Add the ability to specify custom headers in the auth redirect response #255

Open AlstonLin opened 5 years ago

AlstonLin commented 5 years ago

Is your feature request related to a problem? Please describe. This feature request will solve a problem we're currently experiencing when the SSO is used for a cross-origin backend server.

Suppose you have the following api.example.com - This is an API server app.example.com - This is a web app that performs cross-origin requests to api.example.com

Both are placed behind the SSO proxy. Thus, in order for any requests to be performed to api.example.com, the user must already be signed into the sso-auth service.

The issue is when app.example.com is loaded for the first time, the following occurs

This is where the problem occurs, ideally what happens is

But what occurs is

Describe the solution you'd like There's many possible solutions to this, from more general to specific we can

Describe alternatives you've considered All alternatives are also described above. The currently workaround is to directly visit api.example.com before visiting app.example.com, so the session cookie is set for when app.example.com sends a request to api.example.com.

Additional context Add any other context or screenshots about the feature request here.