I would like to know about the best practices to handle this authentication scenario. I have a registration page called (ie https://public.domain.com/#registration), after the registration is done, I'd like to authenticate the user and redirect him to the app (ie https://app.domain.com/). I have another server where I have the authentication method, api controllers, etc (ie https://api.domain.com/Token , https://api.domain.com/api/getOrders , etc).

From the registration page (https://public.domain.com/#registration) I'm calling (https://api.domain.com/Token) to get authenticated, and storing that in sessionStorage["accessToken"] or localStorage["accessToken"]. No matter where I store this token, it won't be available in the other domain where I redirect the user to (https://app.domain.com/).

My question is: Do I have to pass the token via querystring from https://public.domain.com/#registration to https://app.domain.com/Login?Token=xxxxxxxxxxx so I can use it for storing it in localStorage or sessionStorage, and be authenticated in https://app.domain.com/ ?

How can I have that token available in multiple domains? What are the best practices for doing this? Any big security risks? I already set up my Api box with CORS, so the Token endpoint is accessible in the registration and app servers.

Also I'd like to point out that https://public.domain.com/#registration and https://app.domain.com/ are Single Page Applications, using Durandal, BreezeJS, Knockout, etc. (Hot Towel template).

This pretty much answered my question: Single Sign On (SSO) for cross-domain ASP.NET applications

Highlights:

So, how to share the authentication cookie across multiple domains? Well, there is absolutely no way to do that. The fundamental barrier of the HTTP protocol prevents you from sharing a cookie across different domains, primarily for security reasons.

...There is no built-in mechanism in ASP.NET to implement a Single Sign On across these two different sites.