Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Seamless SSO #5

Closed
3 tasks done
gberaudo opened this issue Jan 18, 2016 · 8 comments
Closed
3 tasks done

Seamless SSO #5

gberaudo opened this issue Jan 18, 2016 · 8 comments

Comments

@gberaudo
Copy link
Contributor

The login and logout processes should be as integrated as possible.

  • logging into the UI logs the user in the forum (the forum cookie is set);
  • logging out of the UI logs the user out of the forum;
  • logging out of the forum logs out of the UI.

A topic was open on discourse to get advices on the available possiblities:
https://meta.discourse.org/t/sso-login-from-main-site-backend/37933
@gberaudo
Copy link
Contributor Author

In order to be authenticated on the forum, some cookies must be set by the
forum into user's browser.

Try 1: handle setting cookies in API backend:

  • handle forum login entirely inside the API backend;
  • Proxy back the Set-Cookie to the UI.
    In order to handle subdomains (api, ui and forum), the domain property need
    to be set on the cookie, making it shared between all subdomains.
    Strangely, the cookies where received by the browser but where not sent on subsequent requests. It also requires the 'withCredentials' option to be set on the angular service and the API backend modified.

Try2: handle setting cookies in an iframe:

  • handle generation of the redirect URL in the API backend;
  • Use a hidden iframe with the redirect URL (cookies are directly set by the forum).
    This solution works almost correctly. The main drawback is an error printed in the console which could probably be workarounded.

I am going to prepare a PR based on try2.

This was referenced Jan 18, 2016
Merged
Merged
@asaunier
Copy link
Member

Proxy back the Set-Cookie to the UI. In order to handle subdomains (api, ui and forum), the domain property need to be set on the cookie, making it shared between all subdomains.

Having domain-wide cookies might be a problem since other instances of the UI/API/forum will probably be set for test/dev purposes on the same domain (and would share the cookies then...).

@asaunier
Copy link
Member

asaunier commented Mar 1, 2016

@gberaudo can we update the todo list at the beginning of this issue?

What about the logout in Discourse pages? We need that the user is then also logged out from the UI.
See c2corg/v6_ui#203 (comment)

@asaunier asaunier mentioned this issue Mar 1, 2016
Closed
@gberaudo
Copy link
Contributor Author

gberaudo commented Mar 1, 2016

See https://meta.discourse.org/t/discourse-sso-logout/28509

@asaunier
Copy link
Member

asaunier commented Mar 1, 2016

Could you summarize? I don't have the patience to read the thead :P

@gberaudo
Copy link
Contributor Author

gberaudo commented Mar 1, 2016

There exists a redirect URL setting for logout. We can use it to redirect to the UI, handle the UI logout and redirect back to the forum.

@gberaudo
Copy link
Contributor Author

gberaudo commented Mar 1, 2016

The alternative is to hide the forum login/logout buttons with CSS.

@asaunier
Copy link
Member

asaunier commented Mar 1, 2016

That's not very intuitive to have to go to another page (UI) to be able to log out.

@gberaudo gberaudo mentioned this issue Mar 2, 2016
Merged
@gberaudo gberaudo closed this as completed Mar 2, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@asaunier @gberaudo