Issue by bobbyrullo
Thursday Jul 02, 2015 at 15:56 GMT
Originally opened as https://github.com/coreos-inc/auth/issues/288

dex SSO:

To prevent people from having to type their email/passwords multiple times, we propose the following: after dex authenticates or registers, it drops a http-only cookie with a special JWT: one where the ISS and the AUD are the issuer (i.e., dex) Now, when a client app sends someone to authenticate via dex, if they have this cookie (and the JWT is valid, non-expired, etc.), dex will not require them to type a password or email or login via a remote IDP (eg. Google); instead they will see the dex type interstitial that says something like “Such and such app wants to do stuff on your behalf” and they just have to click a button and they will be redirected to the client callback URL with the auth code.

This is still one click too many however. So, when logging in (or registering), dex will add a special claim (something like “known_clients”) that contains the clientID of the oidc client (eg. Creme). When authenticating for these clients, dex will authenticate immediately and send them over to the client callback URL.