Cookies for Domain based Authentication

Cookie based Authentication for seperate Browser login

Cookie Authentication

Cookie based authentication is used for browser based login. ie when we want to authenticate to facebook.com(from Chrome) a seperate browser based domain cookie is used and for facebook.com(from Edge) seperate domain cookie is used.

JWT based Authentication

When user want to login to service(eg: user want to login to facebook app), then JWT token is used

Cookie Auth to Browser(Authenticate User to Facebook)

Dom cookie(Browser specific cookie)(short lived: 8 hours)?
Purpose: User access page(facebook.com) using 1 browser(Eg: Chrome). Once user is authenticated, this cookie is added into app/browser, app/browser will present this while accessing the domain.
User has to take new domain cookie when accessing same page using other browser(Eg: Edge, firefox).
Glo Cookie(long lived 3 years)?
Purpose: This is also set in browser, After glo cookie expiry user need to relogin again(on all domains browser/apps).

        @startuml
        !pragma teoz true
        participant "Chrome\nBrowser" as cb
        participant DNS as dns
        participant CDN as cdn
        
        box datacenter #FFFFFF90 
        participant "Load\nBalancer" as lb
        participant "Firewall\nProxy" as fw
        participant "Auth Svc" as auth
        participant "IAM Svc" as iam
        participant "Policy" as policy
        participant "App\nServer" as as
        end box
        participant "IDP" as idp
        
        note over cb
        User opens
        facebook.com in
        Chrome browser
        end note
        
        cb -> dns: "IP of\nfacebook.com"
        dns -> cb: IP of CDN
        
        cb -> cdn: "HTTP GET\nhome page"
        cdn -> cb: "facebook.com\nhome page"
        note over cb
        home page has PAC file
        to direct traffic to
        nearest Datacenter
        end note
        
        note over cb #LightPink
        Enter user,pass
        end note
        
        cb -> lb: HTTP GET
        lb -> fw: HTTP GET
        note over fw  #LightGreen
        Does req has
        dom cookie?
        No. 1st time user
        end note
        
        fw -> cb: HTTP Redirect (auth svc)\nurl: http://auth.test.com/userid
        cb -> auth: http://auth.test.com/userid
        
        note over auth #LightGreen
        Is glo cookie present?
        No. Authenticate user
        end note
        
        auth -> iam: Get userid auth method
        iam -> auth: http://okta-azure
        
        auth -> cb: http://okta-azure
        cb -> idp: user,pass login
        idp -> cb: authenticated
        
        idp -> auth: SAML Assertion\nuserid authenticated\ngroup1,userid,domain
        auth -> iam: SAML data
        
        note over iam #LightGreen
        Create GC
        end note
        iam -> auth: GC
        auth -> cb: Set GC in browser
        
        cb -> lb: HTTP GET\n(with GC)
        lb -> fw: HTTP GET\n(With GC)
        note over fw  #LightGreen
        Does req has DC? No.
        end note
        fw -> cb: HTTP Redirect (auth svc)\nurl: http://auth.test.com/userid
        cb -> auth: http://auth.test.com/userid
        note over auth #LightGreen
        Is DC present for GC? No
        Create DC
        end note
        auth -> cb: set DC
        cb -> lb: HTTP GET(with DC)
        lb -> fw: HTTP GET(with DC)
        fw -> policy: HTTP GET(DC)
        policy -> fw: groups
        
        note over fw #LightGreen
        Apply pre configured policies
        based on groups
        end note
        
        note over fw #LightPink
        Allow or Deny
        end note
        
        fw -> as: HTTP GET
        hnote across: For Other Browsers(Edge, Firefox) same process is repeated
        @enduml