Single Sign-On across Racket- and non-Racket-based servers

Byron · January 26, 2022, 6:32am

Any recommendations for implementing single sign-on across multiple (in my case two) Racket web servers and a Node server for a React-based UI? The user should be able to login on the main server (Racket) and select a React.js app that will run on a Node.js server. The React app will make API calls to a second Racket-based server.

Is "single sign-on" too grandiose a term for this set-up. Is there a simple way to do it?

Byron

soegaard · January 26, 2022, 7:59am

Do you have a shared database?

Byron · January 26, 2022, 7:52pm

Yes, the database will be shared between the two Racket servers. There's no reason it couldn't be shared with the Node server, too.

Byron · January 27, 2022, 7:36pm

I'm probably overthinking this. I just need to encode the user credentials in the URLs to the secondary servers.

sschwarzer · January 27, 2022, 10:45pm

If I understand you correctly, this would mean that if a user A sends a page link to another user B, user A accidentally gives their credentials to user B. For this reason, putting credentials into an URL is a bad idea. Slightly less bad are credentials in a post request or in a cookie, but it's even better to use a (time-limited) session cookie. If you want, you can store the current session cookie for a user in the database.

Byron · January 27, 2022, 11:33pm

How does a second server recognize the user by a session cookie in the database?

Byron · January 27, 2022, 11:34pm

Thank you, by the way, for patching my mental bugs.

soegaard · January 28, 2022, 5:43am

How does a second server recognize the user by a session cookie in the database?

The same way the first server does.

The code for Racket Stories offers a concrete example.

The model (database) records a session on successful login.
The session is represented like this [1]:

(define-schema session
  ([id             id/f       #:primary-key #:auto-increment]
   [user-id        integer/f]
   [token          string/f]
   [created-at     datetime/f]
   [expires-at     datetime/f]))

When the session is created a random token is generated.
On the user side the token is stored in a cookie.

Since they are stored at the user side, we need to check that the session cookie isn't tampered with.
This check happens here in "control.rkt" [2].

Finally dispatch which receives the request needs to check whether the request comes from a logged-in user before anything else happens [3].

[1] https://github.com/soegaard/racket-stories/blob/master/app-racket-stories/model.rkt#L655
[2] https://github.com/soegaard/racket-stories/blob/master/app-racket-stories/control.rkt#L58
[3] https://github.com/soegaard/racket-stories/blob/master/app-racket-stories/control.rkt#L128

Byron · January 28, 2022, 5:45am

Thank you. I'll check it out.

sschwarzer · January 28, 2022, 9:55am

A lot more about session cookies here:

Topic		Replies	Views
Some questions about stateless web-server Questions & Answers	2	324	February 11, 2022
Shared state in a web server Questions & Answers	11	167	August 9, 2023
Simple Login / Logout examples using web-server Questions & Answers	1	168	February 27, 2024
Parallel activity in the web-server for a game Questions & Answers	5	176	October 2, 2023
Do not understand stateful vs stateless servlets Questions & Answers	1	220	August 19, 2023

Single Sign-On across Racket- and non-Racket-based servers

Related Topics