Log in a user via the API

(Wasim Khamlichi) #1

I’ve got SSO set up and working with my website. I’m now wondering if it’s possible to log in a user to Discourse automatically, via the API, when someone logs into the website?

This is good so that users do not have to click Log In when they visit Discourse if they’re already logged into the website.

(Felix Freiberger) #2

Are your users visiting Discourse directly, or via a link you control?

In the latter case, if they are logged in, send them to the /session/sso route, which will trigger the normal SSO login.

(Wasim Khamlichi) #3

Thanks, I didn’t realise about the route. But that’s not exactly what I’m trying to do, I want to log them in, in the background without them realising and without redirects. Is this possible?

Take New Relic for example - https://discuss.newrelic.com/ - Say you’re logged out of Discourse - if you then log into the Support Centre section (not part of Discourse) you’re automatically logged into Discourse, without having to visit https://discuss.newrelic.com/session/sso.

I don’t notice any redirects going on after login, but I doubt that they would redirect to every system requiring SSO after a user logs in. I can log into any part of New Relic’s website and Discourse is logged in automatically.

(Felix Freiberger) #4

This is tricky to do – the API alone cannot do it, because you need to set a cookie.

I’d try embedding the login-route in an invisible iframe once after the user logs in – but that’s an ugly hack.

(Wasim Khamlichi) #5

Hmm that is ugly, but may be necessary. I hope there could be a different way.

Silent login/signup via Auth0
(Rasheedamir) #6

@wasimkham we are trying to do exactly similiar thing; and I am just wondering what final approach did you choose?

(Wasim Khamlichi) #7

@rasheedamir I have not implemented anything, it’s not yet a priority so decided to put it in the back seat. If you do find a clean solution in your search I would very much appreciate if you could let me know how you did it.

(Rasheedamir) #8

ah ok @wasimkham sure will do

(shahid) #9

@wasimkham @rasheedamir
Hi guys, has anyone looked into this any further, i have just stumbled across the same issue :frowning:


(pari) #10

I have already suggested something similar.

(shahid) #11

Hi, thanks for the info.

So I am trying the following:
Client logs into my app via Auth0 authentication.
On successful authentication, an Auth0 rule kicks in and makes a callback to a page in my app which has a hidden iframe. This hidden iframe simply does a login to disclosure, so when the client clicks on the forum link he will already be logged in.

I am encountering a problem with the payload that is being sent to the disclosure sso URL.
The “nonce” is invalid/timed out.
Since the login is not being initiated via disclosure, I am generating a nonce in my Auth0 rule and sending that back as part of the payload to the disclosure sso URL.

Im unclear on how the nonce works so would appreciate some assistance. Is there a way to disable the nonce check in disclosure? if not, what do I need to do to get this to work?
I imagine disclosure is rejecting the sso login attempt because the nonce it received is one that it did not send in the first place.