Information Technology Reference
In-Depth Information
will be as many access tokens as there are applications that the user wants
to access.
A diagram will explain this.
Fig 14: Authentication and access tokens
The authentication token is generated by the SSO server once the user is
authenticated. As the diagram above shows, the SSO server shares this token
with the user's browser
15
. If the browser presents this token to the SSO
server again (within a reasonable time window), the SSO server will not
demand a fresh login and authentication cycle. This is Single Sign -On, of
course. We'll see the details of how this works in the next section, but note
that both types of tokens are stored by the SSO server in a token database,
because they will need to be retrieved for validation later.
The application-specific access token for a user and application is generated
after authentication. This second token (or more specifically, the handle or
ID of the token) needs to accompany the redirected request back to the
application, and the application's interceptor will need to have it validated
by the SSO server to prevent spoofing. That's why it needs to be saved in the
token database.
15
This is usually a session cookie, and we'll see more of this when discussing the CAS
product.
