I saw the information, and JOSSO was implemented with SSO through cookie, it seems that cross-domain is not supported.
If the user information is added to the URL, it will not taste it, do it, it is not good to directly stick multiple systems, and it is too strong. Moreover, it can only be applied to a jump on the current page. If the current page is turned off, then the joint website is accessed, you have to re-enter the username and password. It turned out that the leakage of user information, it seems that this is just a problem. Strictly speaking, this is not a complete SSO.
Now consider the way of Web Service is implemented. Services just need to provide a function and return True or false.
All systems first perform their own verification, if they are not passed, then call this function.
On the 18th, the SSO is reflected in: Even if the single login is reached, the verification of permissions / user information in the non-login page is different. Can SSO take care? Will you make things more more complicated?
Reference article
http://www.ronghai.com/solution/2004-09/627/627_1.html
After reading this article, there is a question: Since I use WebService to verify, why should I consider whether the client is B / S or C / S? And do you need a cookie?
