Addon for StraaS CMS
You have an admin panel, you have StraaS CMS, uh! Addon for StraaS CMS.
If your own service has an admin panel already, you might wish to combine it with StraaS CMS instead of letting your users to use two separated systems, then Addon for StraaS CMS is here for the rescue.
StraaS CMS users will be able to access your own admin panel in CMS through an iframe if you implement single sign-on (SSO) as described in this document.
StraaS CMS will generate a jwt for current user. The user’s view in browser iframe will be redirected to your site with this jwt. Your site can confirm the authenticity of the jwt, then set a cookie for the user session and redirect them to your own admin panel. Thus display your addon in CMS.
To ensure your addon is embeddable within StraaS CMS. Your site must accept https requests & set X-Frame-Options to ALLOW-FROM https://cms.straas.io.
After you specified the name, icon, sso_url, secret of your addon in our CMS (帳號管理 > 附加功能). This addon entry will be displayed in CMS menu.
When the user clicks your addon entry in CMS menu, they will be directed via HTTP POST to sso_url where you can handle the single sign-on.
Requests will look like: POST #{sso_url} jwt=#{jwt}
As shown, the data is form-encoded in the POST body. Jwt is computed with JWT standard which expires in 30 minutes, using the secret from your addon setting. The payload within jwt contains your CMS account_id & the user's email. You could verify the jwt since you have secret in your hand.
If the jwt you get is valid and within expiration time, you should create a user session through whatever method you normally use, most likely setting a cookie. And you might make it expires at just the jwt's expiration time for better security.
Otherwise if the jwt is invalid or expired, the user should be shown a page with an HTTP status code of 403. Along with notice messages: "Your access is expired, please reload StraaS CMS to re-authorize."