Skip to content

SSO SNGM (pro montagne)

Jump to bottom Edit New page
Arnaud Morvan edited this page Nov 28, 2017 · 7 revisions

How does it works :

There is no graphical interface to add new SSO keys, connect directly to the postgresql server , example:

psql -d c2corg -c "INSERT INTO users.sso_key("domain", "key") VALUES ('pro-montagne', 'mykey');"

Now suppose an external service, named example.com, want to create/authenticate a user in c2c domain. The example.com server send a POST request to /sso_sync with following data:

  • sso_key: the_example_dot_com_sso_key
  • external_id: 999
  • email: newuser@external.domain.net
  • username: newuser (mandatory only for not existing users)
  • name: New User (defaults to username)
  • forum_username: NewUser (defaults to username)
  • lang: fr (mandatory only for not existing users)

Example:

curl -H "Content-Type: application/json" \
-d '{ "sso_key": "mykey", "external_id": "999", "email": "newuser@external.domain.net", "username": "testsngm", "name": "testsngm", "forum_username": "testsngm", "lang": "fr" }' \
"https://api.demov6.camptocamp.org/sso_sync"

The C2C API server checks the SSO key. If the SSO key is recognized, it will search for the user by external domain and external_id. If not found, it will search for it by email. If not found, it will create it, returning an error for already used username or forum_username. If everything go fine, the C2C server returns an authentication url with a token valid for only this user and for the next 10 minutes example: www.camptocamp.org/sso_login?no_redirect&token=...

The external service server may insert, in response to the browser, a hidden iframe to that url, so the browser will send a POST request to api.camptocamp.org/sso_login with previous token.

The C2C api server will check the token and authenticate the user, returning the same JWT token as for standard authentication with username and password, and the browser store it in localStorage for the domain camptocamp.org. Note that the browser also send a request to the forum.

The browser is now authenticated everywhere.

Testing SSO in a browser :

<html>
<head></head>
<body>
<script src="https://code.jquery.com/jquery-3.2.1.min.js"></script>
<script>
$(function() {

  $.ajax({
      url: 'https://api.demov6.camptocamp.org/sso_sync',
      type: 'POST',
      dataType: 'json',
      contentType: "application/json; charset=utf-8",
      async: false,
      data: JSON.stringify({
          "sso_key": "xxxxxxxxxxxx",
          "external_id": "999",
          "email": "newuser@external.domain.net",
          "username": "testsngm",
          "name": "testsngm",
          "forum_username": "testsngm",
          "lang": "fr"
      }),
      success: function (data) {
        $('<iframe>', {
          src: data.url,  // + '&debug' to load non compressed js files 
          id: 'topoguide_auth_frame',
          style: 'display: none',
          sandbox: 'allow-same-origin allow-scripts'
        }).appendTo('body');
      }
  });

});
</script>
</body>
</html>

⛰️ Production UIProduction APIProd 🧗‍♀️

Clone this wiki locally