What is Single Sign-On?
Frontend Single Sign-On (SSO) is a user authentication and authorization technology that enables users to log in to multiple applications or websites using a single set of credentials, without the need to re-enter or re-register. This approach enhances user experience, reduces maintenance costs, and improves security.
Introduction and Implementation of Single Sign-On Solutions
The main approaches to frontend SSO include the following:
Cookie-Based SSO
After successfully logging into the authentication center on Page A, a cookie is set:
This is the most common SSO implementation. The principle relies on the browser's cookie mechanism. When a user logs into an application for the first time, a request is sent to the authentication center. After verifying the user's identity, the authentication center returns an encrypted cookie containing user information and an expiration period. The cookie's domain is set to the top-level domain (e.g., example.com
), allowing it to be shared across applications under the same top-level domain (e.g., a.example.com
and b.example.com
). When the user accesses other applications, they check for a valid cookie. If it exists, they log in directly; if not, the user is redirected to the authentication center for login. This method is simple to implement but is limited to applications under the same top-level domain, has cross-domain issues, and imposes restrictions on the size and number of cookies.
Setting a cookie after successful login on Page A:
// Generate an encrypted cookie value
const encryptedValue = encrypt(userinfo);
// Set the cookie
document.cookie = `sso_token=${encryptedValue};domain=.example.com;path=/;max-age=86400;`;
Checking for the cookie on Page B:
// Retrieve the cookie
const cookieValue = document.cookie
.split(';')
.find((cookie) => cookie.trim().startsWith('sso_token='))
.split('=')[1];
// Decrypt the cookie
const userinfo = decrypt(cookieValue);
// Log in directly
login(userinfo);
Token-Based SSO
This is a stateless SSO implementation. The principle involves sending a request to the authentication center during the user's first login. After verifying the user's identity, the authentication center returns an encrypted token containing user information and an expiration period, which is stored in the browser's local storage (e.g., localStorage
or sessionStorage
). When the user accesses other applications, they check for a valid token. If it exists, they log in directly; if not, the user is redirected to the authentication center for login. This method supports cross-domain operations and is not restricted by cookies but requires additional storage space and network overhead. It also poses security risks, as stolen tokens can lead to identity misuse.
Storing the token in localStorage
after a successful login on Page A:
// Generate the token value
const token = generateToken(userinfo);
// Store the token
localStorage.setItem('sso_token', token);
Checking for the token on other pages:
// Retrieve the token
const token = localStorage.getItem('sso_token');
// Validate the token
const userinfo = verifyToken(token);
// Log in directly
login(userinfo);
OAuth 2.0-Based SSO
This approach uses the Authorization Code flow of OAuth 2.0. When a user logs into an application for the first time, a request is sent to the authentication center. After verifying the user's identity, the authentication center returns an authorization code and redirects to the application's callback URL. The application then sends the code to the authentication center to exchange it for an access token and refresh token containing user information and expiration periods. These tokens are stored in the browser's local storage. When the user accesses other applications, they check for a valid access token. If it exists, they log in directly; if not, the user is redirected to the authentication center for login. This method adheres to the OAuth 2.0 standard and supports multiple client types (e.g., web, mobile, desktop). However, it is more complex and requires multiple requests and redirects.
Sending an authorization request on Page A:
const authorizeUrl = `https://auth.example.com/authorize?client_id=${clientId}&redirect_uri=${encodeURIComponent(
redirectUri
)}&response_type=code`;
// Redirect to the authentication login page
window.location.href = authorizeUrl;
Redirecting back to Page A's callback URL with the authorization code after successful login:
const redirectUri = 'https://app.example.com/callback';
// Generate the authorization code
const code = generateAuthorizationCode(userinfo);
// Redirect back to the application's callback URL
window.location.href = `${redirectUri}?code=${code}`;
Exchanging the authorization code for an access token on Page A:
const code = getQueryString('code');
// Send a request to the authentication center to get the access token
const tokenUrl = `https://auth.example.com/token?client_id=${clientId}&client_secret=${clientSecret}&code=${code}&grant_type=authorization_code`;
fetch(tokenUrl)
.then((response) => response.json())
.then((data) => {
// Store the access token and refresh token
localStorage.setItem('access_token', data.access_token);
localStorage.setItem('refresh_token', data.refresh_token);
// Log in directly
login(data.userinfo);
});
We are Leapcell, your top choice for hosting Node.js projects — we support file uploads up to 100 MB!
Leapcell is the Next-Gen Serverless Platform for Web Hosting, Async Tasks, and Redis:
Multi-Language Support
- Develop with Node.js, Python, Go, or Rust.
Deploy unlimited projects for free
- pay only for usage — no requests, no charges.
Unbeatable Cost Efficiency
- Pay-as-you-go with no idle charges.
- Example: $25 supports 6.94M requests at a 60ms average response time.
Streamlined Developer Experience
- Intuitive UI for effortless setup.
- Fully automated CI/CD pipelines and GitOps integration.
- Real-time metrics and logging for actionable insights.
Effortless Scalability and High Performance
- Auto-scaling to handle high concurrency with ease.
- Zero operational overhead — just focus on building.
Explore more in the Documentation!
Follow us on X: @LeapcellHQ
Top comments (2)
Isn't it not safe to store tokens in local storage because of XSS attacks?
I thought the same, storing tokens in local storage can expose them to XSS