PHP and WordPress Single Sign On (SSO) with optional JWT Addon

maicol07

Sarveshmrao The insecure option sets Guzzle verify setting to false (click on verify to know what disables)

MirceaSilviuItu

Hello maicol07 ,

I am trying to use your sso solution for a forum. subdomain rather than writing my own but your documentation page is offline.

Also, is it possible to configure it to use JWT rather than your php plugin? I'm thinking I can more easily add a JWT as a cookie which will be accessible from the subdomain; then flarum only needs to verify and decode it.

Thank you!

maicol07

MirceaSilviuItu hi, thank you for your interest in the extension.

MirceaSilviuItu I am trying to use your sso solution for a forum. subdomain rather than writing my own but your documentation page is offline.

Actually, I've switched to a new WIP documentation system and I've forgotten to update the links.
Since a new major version is in development, I'll update the docs when this will be finished.
In the meantime, you can see the previous docs here: https://maicol07-docs.maicol07.now.sh/docs/en/flarum_sso/plugin/introduction

MirceaSilviuItu Also, is it possible to configure it to use JWT rather than your php plugin?

Not at the moment, but it's on the list. Follow this to keep updated: https://bugs.maicol07.it/issue/FSSOE-15

MirceaSilviuItu

Hmm I think you were a little overzealous using guzzle 7.0 for the api client; a ton of dependencies still require guzzle 6.0 and it's going to take time until those are updated, if ever. I can't use your php extension because it conflicts with guzzle 6.0 that another dependency is using.

So I'll have to fork both the php extension and the api client : (

maicol07

MirceaSilviuItu you're right. I think I'll add support to Guzzle 6 in the next days!
Check in the tracker: https://tracker.maicol07.it/issue/FAC-1

maicol07

MirceaSilviuItu added in 1.1.2: https://tracker.maicol07.it/issue/FAC-1 or https://discuss.flarum.org/d/24880-flarum-api-client-php/9

MirceaSilviuItu

maicol07 thanks. There really are a lot of 3rd party libraries requiring guzzle 6 still.

MirceaSilviuItu

maicol07 Oh, your flarum-sso-plugin is actually still requiring maicol07/flarum-api-client: dev-0.2.x-dev which ofc is still requiring guzzle 7

https://packagist.org/packages/maicol07/flarum-sso-plugin

maicol07

MirceaSilviuItu yes, I'm developing a new major version for the plugin. Should be out by the end of September

MirceaSilviuItu

maicol07 Ok I installed flarum-sso-plugin dev-master for now :\

MirceaSilviuItu

maicol07
How do I signup a user using the latest version?
Your old documentation says $flarum->login('username', 'email', 'password');
However I see that you moved the Basic trait to the User class and login() doesn't take any parameters now and I don't see how to load the attributes into the class when I want to signup a new user for example.

maicol07

MirceaSilviuItu documentation about the new version will be written soon. Stay tuned!

MirceaSilviuItu

maicol07 🤣 I'm just going to use the api through your plugin to make an api call with user, email and password then. I can't wait 😀

MirceaSilviuItu

Have you tested the logout functionality? Because I am not sure it works. I have my forum at forum.mysite.com and the flarum_session cookie is set for the domain forum.mysite.com which I don't think can be unset from .mysite.com

Moreover in order to unset a cookie, as specified here: https://packagist.org/packages/delight-im/cookie the new cookie object needs to have exactly the same properties as the existing cookie, but in the logout() method you have hardcoded some props like the path and HttpOnly and SecureOnly to true, which I'm not using as I'm developing locally.

maicol07

MirceaSilviuItu the logout feature works. Configuration parameters are the same as the old docs. So you need to set mysite.com as root domain. You can try the example to see how it works

MirceaSilviuItu

maicol07 I did but did you test your solution just when the forum is at mysite.com/forum/ or also when it's at forum.mysite.com ?
Because I don't think you can unset a cookie which was set from forum.mysite.com (set by the flarum application) from mysite.com (different php application). I think that would be a security issue?

I think in this scenario you would need a redirect from mysite.com -> Logout -> to forum.mysite.com to unset the session cookie there, then redirect back to mysite.com.

Or modify your flarum plugin to set the flarum_session cookie to .mysite.com instead of forum.mysite.com (but I'm not sure if Flarum supports that from within an extension?). Then it would work I imagine.

maicol07

MirceaSilviuItu I'll do some more tests and catch you soon

MirceaSilviuItu

The browser knows the cookie was set from forum.mysite.com so it wont accept a request to unset that cookie from mysite.com, I imagine?

maicol07

MirceaSilviuItu I've tested it. It seems that flarum adds a session cookie witht he subdomain... I should be able to fix this with the Flarum extension

maicol07

MirceaSilviuItu fixed, I hope!

« Previous Page Next Page »