Single sign-on from a web app

I want to implement single sign-on to RT from a web application. Couldn’t find an existing discussion about this scenario and decided to create a new topic.

The easiest path seems to be:

  1. Create a JWT token in the web app
  2. Send a JS request to the RT server, where a JWT decoding module in Apache would populate REMOTE_USER from JWT token contents, so that RT automatically creates a user (via WebRemoteUserAuth / WebRemoteUserAutocreate) and sets a session cookie
  3. Redirect user to RT server.

The questions I have are:

Is this the best approach to implement SSO from a web application that has its own user accounts (i.e. no LDAP)?

Any suggestions which Apache module is best to use to set REMOTE_USER from JWT?

I assume cross-domain cookies shouldn’t be a major problem as we have the application running on same domain (i.e. and and this can be made to work with minor cookies/cross-domain headers adjustments on the RT end.

Is there an easier way? For example, something like passing a short-lived JWT in a GET/POST parameter seems to be a more reliable option by eliminating cross-domain cookies but I couldn’t figure out how to implement it using existing Apache modules and built-in RT features.

I think Apache auth_mellon should work well