SSO with Signed Tickets

TL;DR

Yes, you can build a good Single Sign-On (SSO) system around a server signing tickets instead of validating them on demand. This approach – often called ‘signed tokens’ or ‘JWT-based SSO’ – is common and offers performance benefits. However, it requires careful key management and consideration for token revocation.

How It Works

1. User Authentication: The user authenticates with an Identity Provider (IdP) – this could be your own login page or a third-party service like Google or Facebook.
2. Ticket Creation & Signing: Upon successful authentication, the IdP creates a ticket containing information about the user (e.g., username, roles). This ticket is then digitally signed using the IdP’s private key. This signature proves the ticket’s authenticity and integrity.
3. Ticket Delivery: The signed ticket is sent to the Service Provider (SP) – the application the user wants to access. Typically this is done via a redirect with the token in a query parameter or as an HTTP cookie.
4. Ticket Verification: The SP receives the ticket and verifies its signature using the IdP’s public key. If the signature is valid, the SP trusts the information within the ticket.
5. Access Granted: Based on the user information in the verified ticket, the SP grants access to the application.

Step-by-Step Implementation Guide

1. Choose a Token Format: JSON Web Tokens (JWTs) are the most popular choice. They’re compact, self-contained and widely supported.
   • Header: Specifies the signing algorithm (e.g., HS256, RS256).
   • Payload: Contains user information (claims). Keep this data minimal for security reasons.
   • Signature: Created using the IdP’s private key and the header/payload.
2. Implement Token Signing on the IdP: Use a cryptography library in your chosen language to sign the JWT.

   # Example Python with PyJWT
   import jwt
   
   payload = {'username': 'user123', 'roles': ['admin']}
   token = jwt.encode(payload, 'your_secret_key', algorithm='HS256')
   print(token)

3. Implement Token Verification on the SP: Use a similar cryptography library to verify the JWT’s signature.

   # Example Python with PyJWT
   token = 'your_jwt_token'
   try:
     decoded_payload = jwt.decode(token, 'your_secret_key', algorithms=['HS256'])
     print(decoded_payload)
   except jwt.ExpiredSignatureError:
     # Token has expired
     print('Token Expired')
   except jwt.InvalidSignatureError:
     # Invalid signature
     print('Invalid Signature')

4. Key Management: Securely store and rotate the IdP’s private key.
   • Use a Hardware Security Module (HSM) for maximum security.
   • Regularly rotate keys to limit the impact of compromise.
   • Never commit private keys to version control!
5. Token Expiration: Set an appropriate expiration time for tokens.
   • Short-lived tokens are more secure but require more frequent re-authentication.
   • Balance security with user experience.
6. Token Revocation (Important!): Signed tickets cannot be easily revoked once issued. Implement a mechanism to handle revocation.
   • Blacklisting: Maintain a list of revoked tokens on the SP. This requires checking against the blacklist on every request, impacting performance.
   • Short Token Lifetimes: Relying solely on short token lifetimes is a simple but less flexible approach.
   • Refresh Tokens: Issue long-lived refresh tokens that can be used to obtain new access tokens. Revoking the refresh token effectively revokes access. This is the most common and recommended solution.
7. Transport Security (HTTPS): Always use HTTPS to protect tickets in transit.

Advantages of Signed Tickets

• Performance: SPs don’t need to make real-time calls to the IdP for every request.
• Scalability: Reduced load on the IdP.
• Statelessness: SPs can be stateless, simplifying deployment and scaling.

Disadvantages

• Key Management Complexity: Requires robust key management practices.
• Token Revocation Challenges: Implementing effective token revocation is crucial but complex.
• Token Size: JWTs can be relatively large, impacting bandwidth.