Handling Auth for Multiple Services Without Cross-Domain Cookies

A quick note about handling auth across multiple apps - without using cookies.

Cookies are starting to get a bad rap. All sorts of legal disclaimers/acceptance popups and filters are starting to appear. This makes the usual approach to storing a session a bit awkward.

One way to accomplish this feat, without exposing the JWT in the URL, and without needing all services to have direct access to the same databases, is to create temporary sessions.

This approach basically works like this:

1. A central auth UI is provided a destination redirect URL to send the user to when auth is successful
2. When credentials are entered correctly, the JWT is generated
3. A temporary (1 minute to expiry) session is created and a unique ID for this session is returned to the client
4. The normal cookies are created (if desired) and the user is redirected to the destination url, passing the session ID as a parameter
5. The destination app is whitelisted as a request origin that can retrieve the JWT and any additional meta data you wish to provide to the app
6. The destination app requests the JWT and details from the auth service, using the unique session ID
7. The session is invalidated so the JWT cannot be requested again using this session ID
8. The destination app can now store the JWT and additional details and operate like normal on behalf of the user

There's plenty of other workarounds, but this particular architecture has come in handy for my team lately, so I thought I'd share it.