Session share between server

[vijaydogra]

Is there any facility that will allow to share sessions between different server and not in same domains (nor subdomain). For instance, abc.com authenticates a user, can it login into xyz.com using same token as provided by abc.com? If so, what is the configuration that needs to be made?

[vinckr]

I think you are confusing OAuth2 Access tokens with sessions.
There is the OAuth2 Access Token, but also three different session layers:
from the docs

• Your Application's Session Manager keeps track of the user within your application. You will use OpenID Connect to initiate and complete the login, but your application needs to store and track and invalidate the session.
• Ory Hydra maintains a session cookie. When a user signs in, the cookie will be set for that user. This allows the next OAuth2 request to complete without requesting the user to sign in again.
• Optionally - If your application connects to a third-party identity provider (e.g. Sign in with Google, GitHub, Facebook, ...) that third party provider also maintains a session of the user.

Now what I believe you are looking for is for a way to use the same Access Token that you received at abc.com to authorize (! OAuth2 is NOT an authentication protocol) a user at xyz.com.

So you want a way to specify multiple audiences in a single Access Token, correct?

[vinckr]

You can specify multiple audiences in the OAuth 2.0 Client’s metadata on a per-client basis:

documentation

{
    "client_id": "...",
    "audience": ["https://api.my-cloud.com/user", "https://some-tenant.my-cloud.com/"]
}

[VJSynthesis]

I tried those, however in case of callback how do I decide to which audience it goes?

[vinckr]

Excellent question!
You do this in your Login Endpoint.
Have a look at the diagram for the OAuth2 Login Flow.

We have a reference implementation of these endpoints here: https://github.com/ory/hydra-login-consent-node .

Unfortunately I cant give you a step-by-step guide how to set this up, but if you are up to it we could write one together?
I am sure there is other users who had the same problem as well, maybe you could try asking around in the slack as well if you get stuck.

[VJSynthesis]

This is informative. I will try this and document my findings over same.

[vijaydogra]

I can confirm that this works

hydra clients create --skip-tls-verify \ --endpoint "https://myauthhost/admin" \ --callbacks "https://myothersite/callback" \ --id "myid" \ --grant-types "authorization_code,client_credentials" \ --response-types "token,code,id_token" \ --token-endpoint-auth-method "none" \ --scope "openid, hydra.introspect" \ --audience "https://abc.com,https://myothersite.com,https://myanothersite,http://localhost:8080,http://localhost:8081,http://localhost:3001"