I am stumped at this problem.
Users authenticate at my client’s website. Then the users see their profile page on my client’s website. My client now wants me to provide a URL on their profile page, for his users, to download information from an external website. (This external website is not controlled by my client). That is to say, upon clicking this URL, it links out to an external website and gets a personalized file.
As the information is considered sensitive (not critical), the external website should not allow anyone to download the personalized file.
I’m stumped at figuring out how to allow only one authentication (on my client’s website) instead of having the end users authenticating twice (once on my client’s website and separately on the external website)
Any ideas?
Pre-signed URLs may be of help. When a user authenticate on one website, the website can query the other website for a pre-signed URL which doesn’t need authentication as the main website has already done that.
We are using this feature with amazon.
5
Unless you have direct access to the external site or some kind of agreement with whoever maintains the site this is an unsolvable problem. You need to pass on some kind of token to the external site to let them know it is OK to access whatever sensitive information you are trying to access and this requires some kind of coordination between the two sides. Moreover, whatever protocol you design needs to follow proper security practices. This is not a simple undertaking and is one of the many reasons protocols like OAuth exist.
1
And what about having one login/password for your client at the second server? After a user is logging to your client server he can launch the connection to the second server by javascript, not seeing neither login nor password. Of course, it is not very safe, but more safe than no login/password.