I have a customer who has a client app and when they log in to their client app, they will see a link to my website. When they click on the link, it should log in them in automatically to the website without asking for the credentials. Is this only possible if the username/password are the same between the client app and the website? Also, what if the username/password is not known for the client app? How is this handled? I have heard of technologies such as openId, oAuth, etc, but these don’t seem to fit my scenario where there is an existing client app that already has a membership base and it not needs access to my website.
I am not sure what approach to make take here? If the above is confusing, I will give a scenario:
- User A logs into there desktop application.
- User A clicks a link to go to wwww.mysite.com.
- User A is authenticated and authorized for www.mysite.com, so they do not need to provide credentials.
This can only be done with the aid of the desktop/website that contains your link. If you can change that app, then this is possible, if not, not.
In order to log your user in securely, you need to know they were logged into the other app — the only way for that to happen, is for it to give something to the user to give to you, that says yeah, he is logged in.
I agree that @jmoreno (+1) is the only way it could work.
However if i where the author of the desktop-app that calls your website i would not reveal the desktop-user-password to any foreign link or to anybody else.
Maybe it is easier for your website to remember your customer through a cookie so every web-user has to only login once.
If desktop-app and your website both use openId (or oAuth) the user still has to agree that the openId-provider is allowed to be used by desktop-app and your website.