Seamless SSO about v6_forum HOT 8 CLOSED

In order to be authenticated on the forum, some cookies must be set by the
forum into user's browser.

Try 1: handle setting cookies in API backend:

• handle forum login entirely inside the API backend;
• Proxy back the Set-Cookie to the UI.
  In order to handle subdomains (api, ui and forum), the domain property need
  to be set on the cookie, making it shared between all subdomains.
  Strangely, the cookies where received by the browser but where not sent on subsequent requests. It also requires the 'withCredentials' option to be set on the angular service and the API backend modified.

Try2: handle setting cookies in an iframe:

• handle generation of the redirect URL in the API backend;
• Use a hidden iframe with the redirect URL (cookies are directly set by the forum).
  This solution works almost correctly. The main drawback is an error printed in the console which could probably be workarounded.

I am going to prepare a PR based on try2.

from v6_forum.

Proxy back the Set-Cookie to the UI. In order to handle subdomains (api, ui and forum), the domain property need to be set on the cookie, making it shared between all subdomains.

Having domain-wide cookies might be a problem since other instances of the UI/API/forum will probably be set for test/dev purposes on the same domain (and would share the cookies then...).

from v6_forum.

@gberaudo can we update the todo list at the beginning of this issue?

What about the logout in Discourse pages? We need that the user is then also logged out from the UI.
See c2corg/v6_ui#203 (comment)

from v6_forum.

See https://meta.discourse.org/t/discourse-sso-logout/28509

from v6_forum.

Could you summarize? I don't have the patience to read the thead :P

from v6_forum.

There exists a redirect URL setting for logout. We can use it to redirect to the UI, handle the UI logout and redirect back to the forum.

from v6_forum.

The alternative is to hide the forum login/logout buttons with CSS.

from v6_forum.

That's not very intuitive to have to go to another page (UI) to be able to log out.

from v6_forum.