Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

ReArmedHalo's avatar

Multiple Applications, One User

Hi guys,

I'm struggling with a bit of an architecture problem right now and hoping for some help.

Currently I have a single application so users are authenticating on there. However, a second application is being developed and we want to have all user information available to both applications. Similar to how Microsoft has multiple applications you can access by signing in with your Microsoft ID.

The plan: accounts.applicationA.com store.applicationA.com applicationB.com etc

I was thinking OAuth via Passport would be perfect for this, but I realized now that I either need have users "approve" access via Access Token grant type (which feels like bad UX since these are all first-party applications) or using the Password Grant.

I am trying to avoid having to implement the login views for each application and ensuring we keep the throttling and other security measures in sync across all apps. I wanted it to work a bit like Microsoft, they have a single login page that you are redirected to, you login and done. When you go to another application takes you to said login pages, realizes you are already logged in and sends you back to original application.

Lastly, I would like to come up with a solution (there are already packages for this, I haven't tried them out yet) that allows for 2FA via something like Google Authenticator or SMS codes, which is another reason for having accounts.appA.com handle everything auth related.

Authorization would obviously need to be handled on a per app basis and I am assuming each app would also have it's own User table without passwords. I would need to implement an API call for every app so when someone deletes their account on accounts.appA.com then it does cleanup on the other applications.

Sorry for the wall of text but I wanted to give as much detail as I could about what I was thinking and what my goals were.

I appreciate any and all input! Thank you.

0 likes
4 replies
robrogers3's avatar

This is a cool question. I'm not going to address the 2FA. But regarding authentication between 2 separate webapps I think JWT and CORS and a little client side JS is your solution.

JWT is a simple(r) solution for token based authentication.

Cors allows for Cross-Origin Resource Sharing', cause AppA my . In this case making ajax requests to an non originating domain.

About both: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS https://github.com/dwyl/learn-json-web-tokens

It looks a little complicated, but 2 Laravel packages help a lot. https://github.com/barryvdh/laravel-cors

https://github.com/tymondesigns/jwt-auth

So the idea (a common one likely):

  • make an authentication request on page load via ajax.
  • if the user is authenticated then off they go. perhaps refresh token ttl
  • if not, well they need to authenticate, make a request to say /authenticate and on success store the jwt token on the client. where ** AppA curls out to the authentication server ** AppB same. ** OR, best use CORS to directly authenticate w/ authentication server
  • once they have an authenticated JWT token
  • then off they go, all guarded requests from there on are now authorized via jwt.

I think that sounds right.

ReArmedHalo's avatar

Thanks for the info! I've heard of CORS and JWT but never really used them or looked at them so it looks like I have some reading to do. I'll keep this updated throughout my journey this weekend as I try and implement something.

ReArmedHalo's avatar

@robrogers3

I gave JWT a try, it doesn't seem like it is going to work the way I want to unless I completely implemented it wrong :P

The way I was able to figure it out is I would have a login form on app2 and it would submit those to the account.app1 via an API call, I would get a JWT token back that I could use to get information about the user account (I did get that working successfully) However, that is not the behavior I am looking for.

I ended up doing more research and remembered SAML is a thing, I had ruled it out a month ago for some reason when comparing OAuth, SAML etc. Decided to revisit it. I've managed to get that implemented successfully, a few bugs I'm trying to work out still but working nevertheless.

I think I may end up using JWT tokens for first party applications (like a mobile application for example?) or OAuth as someday I may want to allow others to use my platform to authenticate users.

I do plan on updating this thread and providing some sample code for those who may be interested but I am of course open to alternative methods (like if I really didn't understand JWT that @robrogers3 suggested)

Thanks,

Please or to participate in this conversation.