I am running a SAAS company that is websited at www.mycompany.com, and I have a business-partner that is websited at www.mypartner.com. I'd like to redirect a user which is logged-in to www.mypartner.com portal to www.mycompany.com without requiring the user to login again.
I understand that oAuth 2.0 is the right solution to this problem. I am wondering, however, if there are any lighter alternatives, since customer doesnt use oAuth (they have a simple postgres table with uname/passwords, and an old php based website).
So far, this is a solution I have come up with:
The user is logged-in into www.mypartner.com, and hence, we have the user's details like their name, email-address, customer no. etc
We can ask www.mypartner.com developers to redirect the user to our website at www.mycompany.com, while putting the user details in the header. Since both websites are https, an eavesdropper cannot get these values
www.mycompany.com can then create / retrieve the user that matches the passed info, pre-fill the form etc and carry on the business
Are there any major drawbacks in this solution?
One concern I have is that anyone can put these fields into the header and log-in to www.mycompany.com. To avoid this, is it possible to ensure the following:
- No one can access www.mycompany.com unless they are being redirected from www.mypartner.com ?
