Mozilla's Persona (BrowserID): Domain + Subdomain login

Question

Following problem.

I have a website:

• example.com

but there are some side websites lets say:

• data.example.com
• help.example.com

They are all run by the same flask application. Now I want the user be able to click login on any of those websites and be logged in on all of them. Right now there are two post requests available at:

• example.com/api/login
• example.com/api/logout

Now the issue is, when logging in from example.com everything works beautifully. I am even logged in on the subdomains themselves. Thank you Mozilla. But when logging in from one of the other subdomains I get a failure response due to domain mismatch, which makes perfect sense to me since its a security risk.

I know of two solutions:

1. When on the subdomain redirect to the real domain first and have the user click login again.
2. Create /api/login and /api/logout urls for every subdomain itself. Problem here is user needs to logout at the url he logged in

Of course method 2 would be better for the user.

Now the real question is there any way to login from these subdomains without login/logout urls for each domain?

Let me know if I need to clarify. Thanks in Advance.

Answer 1

One idea would be for data.example.com and help.example.com to have an iframe with the example.com login button in it, instead of these two subdomains hosting their own login buttons.

That way, when users go to the two subdomains, they end up clicking the login button for the top-level domain (example.com) and setting a cookie that will work on all three.

Answer 2

I think you are looking for exactly what is currently in PR 3854. There is also some discussion here. It looks like it should find its way into master very soon.