如果我误解了你的问题，请原谅我，但是...

Forgive me if I am misunderstanding you problem, but...

SSO 类型系统的要点是客户端直接向(单独的)身份验证服务器进行身份验证，并从中获取票证.然后它将票证传递给它想要使用的目标服务器，每个目标服务器都验证票证对身份验证服务器是否有效.如果票证得到验证，则服务器可以假定客户端仅通过向(受信任的)Kerberos 服务器提供可接受的凭据来获取它.

The point of SSO type systems is that the client authenticates directly to the (separate) authentication server, and obtains a ticket from it. It then passes the ticket to the target server(s) it wants to use, each of which verify that the ticket is valid with the authentication server. If the ticket is validated, it can be assumed by the server that the client only obtained it by presenting the (trusted) Kerberos server with acceptable credentials.

在此过程中，任何服务器都应该代表客户端进行身份验证.在这样的系统中，唯一需要知道和验证客户端凭据的服务器是身份验证服务器 - 没有其他服务器需要访问此信息.通过这种方式，客户端只需进行一次身份验证交换即可对多台服务器进行身份验证，并且凭据不会因存储在多台服务器上或可供多台服务器访问而面临风险.

Nowhere in the process, should any server authenticate on behalf of the client. In such a system, the only server that needs to know and validate the client's credentials is the authentication server - no other server need have access to this information. This way the client can authenticate for many servers with just one authentication exchange, and credentials are not put at risk by being stored on, or accessible to, multiple servers.

听起来您的实现工作正常 - 身份验证应该发生在应用程序的客户端，这是正确的，没有安全风险.

It sounds like your implementation is working just as it should - the authentication should occur on the client side of the application, and this is correct and not a security risk.