Third Party SSO Strategy?
Options
pete letkeman
Member ✭
I have a XANO function preforming a third part SSO via rest endpoints.
In the end I end up with a lot of pieces of data including a 'Session Token'.
How can I keep XANO apis secure?
Should I put the session token in the 'extra' part of the regular Auth Token?
Should I put the session token in the $http_headers and check against that with each request?
I'm open to ideas, but I need the end user to enter their credentials only once.
I'm use WeWeb for the front end.
In the end I end up with a lot of pieces of data including a 'Session Token'.
How can I keep XANO apis secure?
Should I put the session token in the 'extra' part of the regular Auth Token?
Should I put the session token in the $http_headers and check against that with each request?
I'm open to ideas, but I need the end user to enter their credentials only once.
I'm use WeWeb for the front end.
Comments
-
Multiple ways of doing it, but usually SSO returns an Id token, which you want to redeem for an access token. So the use enters their credentials in SSO which generates an ID token (usually). You send the ID token to Xano which validates it and returns the access token. The access token is what you use to authenticate your endpoints. WHen the access token expires, you have the user auth again.
Auth is complex! It's a frequent topic in our State Change Pro office hours because once you crack it you're able to stack the rest of your app on a more secure foundation. -
Thank you for your insight, it was helpful.
Categories
- All Categories
- 53 ? Announcements
- 47 ? Releases
- 37 ? Welcome
- 983 ? Help! I'm a Noob
- 125 ? No-Code Front-Ends
- 633 ? Working with APIs
- 439 ? Transforming data
- 126 ? Connect Xano to ...
- 50 ?? Find an Expert
- 348 ❓Other questions
- 35 ? Security
- 22 ✂️ Snippets
- 19 ? Showcase
- 7 ?️ Xano Chatter
- 62 ? Video Tutorials
- 171 ? Request a feature
- 229 ? Report a Bug
- 19 ? Templates & Extensions
- 7 ? Feedback