# Single Sign-On (SSO) ## About Single Sign-On (SSO) is an **authentication mechanism** that enables users to log in **once** and gain access to **multiple related applications** without being asked to log in again for each of them. Instead of each application having its own login system, **authentication is centralized** through a shared system called an **Identity Provider (IdP)**. **Example: App and Food Website** Consider a **banking app** and a **partnered food delivery website**. When a user logs into the banking app, they are authenticated by a central identity provider. Later, if they visit the food website (also integrated with the same identity provider), they are automatically recognized and logged in — no need to enter the username or password again. ## **SSO Flow**
1. **User logs in to the main app** * The app redirects the login request to an **Identity Provider** (IdP). * The user enters credentials. * The IdP authenticates the user and creates a **session**. 2. **Token is issued** * The IdP generates an **access token** and possibly an **ID token** (e.g., JWT). * These tokens contain claims about the user (username, email, roles, etc.). 3. **App stores the token** * The app stores the token temporarily (e.g., in memory or secure local storage). 4. **User clicks link to the food website** * The user is redirected to the food website. * The app passes the token (either through query param, cookie, or header). 5. **Food website validates the token** * The food website checks if the token is valid. * It may call the IdP or verify the JWT signature locally. * If valid, the user is authenticated without logging in again. ## Key Components
ComponentDescription
Identity Provider (IdP)A centralized authentication system that all apps trust (e.g., Keycloak, Okta, Azure AD)
Service Provider (SP)The app or website that delegates authentication to the IdP (e.g., your banking app or food site)
Token (JWT/Opaque)A digital proof that the user has been authenticated
ProtocolThe standard used to communicate authentication: OAuth2.0, OpenID Connect (OIDC), or SAML
## **Common Protocols Used**
ProtocolPurpose
OAuth2.0Authorization protocol, issues access tokens
OpenID Connect (OIDC)Built on top of OAuth2, used for Authentication (includes ID token)
SAML 2.0XML-based protocol, often used in enterprise SSO (e.g., for HR systems)
## **Token Types** {% hint style="info" %} * **Access Token** is used to access APIs and must be presented in every request (usually in the `Authorization: Bearer` header). * **ID Token** is only used in OpenID Connect and meant for identity — not for accessing APIs. * **Refresh Token** is kept secure and **never exposed to frontend apps** in public clients like browsers. {% endhint %}
Token TypePurposeContainsUsed ByLifespan
Access TokenGrants access to protected resourcesUser ID, scopes/permissions, expiry, audienceResource servers (APIs, microservices)Short-lived (minutes)
ID TokenVerifies the identity of the authenticated userUser info (email, name, username), issued time, expiryClient applications (e.g., frontend, app)Short-lived (minutes)
Refresh TokenIssues a new access token without re-loginClient ID, user ID, token expiryAuthorization server (IdP)Long-lived (hours/days)
## **Token Propagation in Microservices** When using SSO in microservices: * The **token is forwarded** between services (usually HTTP headers). * Each service must validate the token. * Centralized token verification reduces duplicated logic. For example: * App → API Gateway → Order Service → Delivery Service * The access token must be passed through each layer. ## **Security Considerations** 1. **Token Security** * Use **short-lived access tokens** and **refresh tokens**. * Store tokens securely (e.g., not in local storage for web apps). * Tokens must be signed (e.g., using RSA or HMAC) and verified on each request. 2. **Token Expiration & Revocation** * Tokens should expire quickly to limit impact if stolen. * Include a **revocation mechanism** (e.g., token blacklist or introspection endpoint). 3. **Logout** * Implement **Single Logout (SLO)** to end sessions across all systems when user logs out from one. * This is harder in practice and needs careful handling via the IdP. 4. **CSRF & CORS** * Handle cross-origin scenarios properly (especially when passing tokens between domains). * Use secure cookies and CSRF tokens where needed. 5. **TLS Everywhere** * All communication between client, IdP, and service providers must use HTTPS. ## **Common Tools for Implementing SSO**
ToolPurpose
KeycloakOpen-source identity provider with OAuth2, OIDC, SAML support
OktaCloud-based IdP for enterprise SSO
Spring Security + OAuth2 ClientCommon in Java Spring Boot applications
Azure AD / Google IdentityCommon external IdPs for SSO
API Gateway (e.g., Kong, NGINX)Used for token validation and enforcement
## **Advantages** * **Improved user experience**: One login for many services. * **Centralized authentication**: Easier to enforce security policies. * **Reduced password fatigue**: Users don’t have to remember multiple credentials. * **Auditability and logging**: Track access across all systems from one place. * **Faster onboarding/offboarding**: Add or remove access from a central system.