SSO for Pro sites
Testing
- Log out on Minds
- Visit any Pro Domain site (standalone) - user should be logged out
- Visit Minds
- Log in on Minds
- Visit any Pro Domain site - user should be logged in
- Log out on the Pro Domain site
- Visit Minds - user should be logged out
- Visit any Pro Domain site
- Log in on Pro Domain site
- Visit Minds - user should be logged in
Note: This testing procedure is valid on browsers with 3rd-party cookies enabled. On other strict-security browsers (such as Brave), Minds and Pro Domain sessions are completely independent.
Sandbox
- Minds: https://goal-pro-sso.minds.io/
- Pro Domain: http://another-domain-goal-pro-sso.minds.io
Helm Chart (Sandbox deployment chart)
- Check out this branch: https://gitlab.com/minds/helm-charts/tree/goal/pro-sso
- Manually deploy:
helm upgrade --install --reuse-values --recreate-pods --set features.pro=true --set jwtsecret="<something random here>" --wait goal-pro-sso ./minds/
Issues
- Closes #1127
added scoped label
added 3 commits
-
aacc7678...cc738264 - 2 commits from branch
master - cd9a4013 - Merge remote-tracking branch 'origin/master' into goal/pro-sso
-
aacc7678...cc738264 - 2 commits from branch
added 2 commits
added 3 commits
-
e4e5e0ea...d592fd9d - 2 commits from branch
master - c2c95dfd - Merge remote-tracking branch 'origin/master' into goal/pro-sso
-
e4e5e0ea...d592fd9d - 2 commits from branch
unmarked as a Work In Progress
added scoped label
changed the description
mentioned in issue front#2236 (closed)
![Mark Harding](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200"><rect fill-opacity="0"/></svg>)
Last updated by Emiliano Balbuena12 class ProDelegate 13 { 14 /** @var ProDomain */ 15 protected $proDomain; 16 17 /** 18 * ProDelegate constructor. 19 * @param ProDomain $proDomain 20 */ 21 public function __construct( 22 $proDomain = null 23 ) { 24 $this->proDomain = $proDomain ?: Di::_()->get('Pro\Domain'); 25 } 26 27 public function isAllowed($domain) - Owner
bool return type
changed this line in version 9 of the diff
added 13 commits
-
1155faab...52a592b9 - 11 commits from branch
master - d9f6f766 - (chore): Pro Delegate types
- cf4c1059 - Merge remote-tracking branch 'origin/master' into goal/pro-sso
-
1155faab...52a592b9 - 11 commits from branch
added 1 commit
- fd91559b - (fix): Origin's scheme should have more relevance for CORS
changed the description
approved this merge request
![Xander Miller](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="80" height="80"><rect fill-opacity="0"/></svg>)
DeveloperI tested on Chrome and Brave. I actually found that the system work just as well on Brave as it did on Chrome even with the shield turned on.
http://another-domain-goal-pro-sso.minds.io https://goal-pro-sso.minds.io/
I'm guessing that Brave shield might be smart enough to detect that both domains are minds.io but I'm not sure what's going on.
97 98 if (!$key) { 99 throw new Exception('Invalid encryption key'); 100 } 101 102 $sessionToken = (string) $session->getToken(); 103 $sessionTokenHash = hash('sha256', $key . $sessionToken); 104 105 $ssoKey = implode(':', ['sso', $this->domain, $sessionTokenHash, $this->jwt->randomString()]); 106 107 $jwt = $this->jwt 108 ->setKey($key) 109 ->encode([ 110 'key' => $ssoKey, 111 'domain' => $this->domain, 112 ], $now, $now + static::JTW_EXPIRE); - Owner
JWT or JTW?
4 * @author edgebal 5 */ 6 7 namespace Minds\Core\SSO; 8 9 use Exception; 10 use Minds\Common\Jwt; 11 use Minds\Core\Config; 12 use Minds\Core\Data\cache\abstractCacher; 13 use Minds\Core\Di\Di; 14 use Minds\Core\Sessions\Manager as SessionsManager; 15 16 class Manager 17 { 18 /** @var int */ 19 const JTW_EXPIRE = 300; - Owner
JWT?
59 } 60 61 /** 62 * @param string $domain 63 * @return Manager 64 */ 65 public function setDomain(string $domain): Manager 66 { 67 $this->domain = $domain; 68 return $this; 69 } 70 71 /** 72 * @return bool 73 */ 74 public function isAllowed(): bool - Owner
Consider moving the call to this function out of controllers and into respective functions here.
