SSO login from main site backend


#1

Hello, I am setting up sso authentication for Discourse.
When the user logs in on the main site, I would like he also be logged into the forum.
At the end of the procedure, the user stays on the main site.

This is slightly different from the official setup:


where a user must first visit the forum, then click on the login button to be redirected
to the main site authentication page and finally be redirected back to the forum.

So I tried to handle the discourse login directly from the main site backend:

  • send a request to discourse /session/sso_login
  • in the response a cookie is set by discourse (I discard it);
  • the sso and sig parameters are taken from the redirect Location url.
  • generate and sign a response with the nonce and user information;
  • immediately send request with new sso and sig to discourse /session/sso*

However, I get the error “Account login timed out, please try logging in again”.
I would expect discourse login to succeed and to receive some authentication cookies.

Is there something wrong with the above procedure? Should I send back the above cookie?
Is there a simpler way to have the main site trigger discourse login?


#2

I found what was causing the “account login timed out” error: I was returning a single element array with the nonce “[nonce]” instead of the “nonce” string. So the cookie at the early stage is unnecessary.

Discourse response was misleading and could instead have returned a “bad request” error.

Anyway, what do you think of the above approach? Is there a better way?


(Kane York) #3
<embed src="https://discourse.yoursite.com/session/sso"
     onload="document.location='/login_complete';" ></embed>

<h1> Please wait... </h1>
<div class='spinner'></div>

#4

Thank you @riking for your suggestion.
I actually had tried a similar solution using a sandboxed iframe (sandbox: “allow-same-origin”) and listening on the onload event. Is embed better?


(Kane York) #5

Embed works because it’s stricter with regards to the SOP, and the document is supposed to be redirecting across multiple domains, so it works better here.


(Mindhash) #6

@gberaudo ,
Know its tad bit late to respond on this topic. but could you share steps you followed (just high level).

Trying to do something similar. This is what i have in mind

  1. Iframe/embed on main site to discourse_URL/session/sso
  2. this will call my sso url (mysite_URL/sso_request) with nonce
  3. Use the nonce from prior step to send user info to discourse_URL/session/sso_login

I am assuming all above steps will happen inside iframe.

Thanks.