SSO with an AngularJS App/ Javascript

(Ben) #1

i have a running AngularJS App and use Stamplay as the backend. Discourse is running in a Subfolder.
If the user login on the main App (Javascript) and it’s approved by the Stamplay backend i redirect him to the SSO.php file (with the sig, sso, userID and userName parameter), where is use the PHP Helper from @cviebrock.

This works and the user is logged in in both apps (AngularJS Main App and forum).
This flow is insecure, because if the user copy the sig and sso parameter from the Discourse redirect and hits the SSO.php file with this parameter + the user parameter he can login in the forum as any user he want’s.

Any ideas how to make this flow secure?

(Felix Freiberger) #2

Who is generating the signature? By your description, it sounds like your Stamplay backend does this. But then, what do you need the PHP helper for?

(Ben) #3

What do you mean with signature? The verification that the credentials are correct, or the sig parameter in the posted url?

If your refer to the sig in the url, it’s generated by Discourse if the user click on the Discourse Login button.

  • user click on the Discourse login button
  • he will be redirected to the sso url from the Discourse settings and the sig and sso parameter are append
  • the user fill the login form with email and password (angular app)
  • angular app sends the credentials to the Stamplay backend and if the credentials are correct it will set a token in the local storage
  • angular app redirects to the user to the SSO.php with the sig and sso parameter
  • SSO.php validates the sig and sso parameter with the sso secret from the Discourse settings and redirects the user to the /session/sso_login?sso=payload&sig=sig
  • now the user is logged in the angular app and Discourse

The problem is that the part where the sig and sso parameter are validated with the sso secret. It must be done on the server side, because the sso secret must be hidden.
I also can’t get the current logged in user by php. Thats why i have to send the userID and userEmail via url parameter to the ‘SSO.php’. It’s bad because the user can manipulate the params and can login in Discourse as any user he like.

(Felix Freiberger) #4

Oh right, I forgot that Discourse will also sign the request.

Since the token is the only thing that your Angular app retains as authentication, the PHP script will have to validate that token.

(Ben) #5

Good idea, but i have no idea how to do this. I will research Stamplay Documentation