PHP and WordPress Single Sign On (SSO) with optional JWT Addon

maicol07

Spookyguy the flow is the following:

POST to /api/token with the following data:

{
            "identification": "username",
            "password" => "password",
            "remember" => false,
 }

This way you retrieve the user token from the Flarum user. Now, two ways:

2a. If token returns and is valid (user already exists) you can just set the required cookies and your user will be logged in: maicol07/flarum-sso-php-pluginblob/145302cb83366d108df8386f4063c8c4526777d7/src/Traits/Cookies.php (check remember cookie if you set remember to true in the request above, otherwise the session one)

2b. Signup the user with a POST to /api/users and the body following JSONAPI standard (check here: maicol07/flarum-sso-php-pluginblob/145302cb83366d108df8386f4063c8c4526777d7/src/User/Traits/Auth.php#L85). Then repeat step 1

Spookyguy

maicol07 Thanks very much for your help. Retrieving the cookie and using it in the browser works perfectly. I just have a problem with generating a new user. As described in the API documentation I tried the following request:

POST https://myserver/api/users
Authorization: Token <API-TOKEN>
Content-Type: application/json

{
  "data": {
    "attributes": {
      "username": "testuser",
      "email": "testuser@example.com",
      "password": "$up4$3cr3tPa$$w0rd"
    }
  }
}

I used the same headers as with the request to retrieve the cookie (which worked perfect as said above).
But the request to create the new user returns

{
  "errors": [
    {
      "status": "400",
      "code": "csrf_token_mismatch"
    }
  ]
}

which according to the documentation indicates that the API token is missing. Do you have any idea, what might be wrong?

Spookyguy

maicol07 Thank you very much for your help. Works perfectly.

Spookyguy

maicol07 I got one more question: Now that the login via the flarum API works and the API returns the token,: How can I forward the user of my Angular client to the forum url with the received token? Setting the cookie in the browser via TypeScript (Angular) for another website (forum site) is not possible for security reasons 🙁.

maicol07

Spookyguy The Bearer token must be the one mentioned here to avoid the CSRF token mismatch error: https://docs.maicol07.it/en/flarum-sso/plugins/php#pre-installation

Spookyguy

maicol07 Yep. I fixed the by myself already and then tried to delete the post here, but that didn't work 😃

akrimony

Is there a demo for this extension somewhere? Or maybe some screenshots?

maicol07

akrimony No, but the PHP plugin has a sample implementation: maicol07/flarum-sso-php-plugintree/master/example

maicol07

Spookyguy yes, it's not possible. This method only works when Flarum is on the same root domain (same domain or in a subdomain).
If you have two completely different domains (i.e. mywebsite.com and mywebsiteforum.com) then this method doesn't work due to browser restrictions and you have to find another way, such as my premium extension for OpenID Connect: https://discuss.flarum.org/d/28245-flarum-openid-connect-client

Spookyguy

maicol07 It works 🙂 ... Forum is at forum.mysite.com and the application at app.mysite.com. Now i am trying to logout the user from the forum when he logs out of the application. If I delete the cookie manually in the developer window of Chrome, it works fine, but with

document.cookie = 'flarum_session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT;

in the Angular application as suggested in a StackOverflow post does not 🙁

maicol07

Spookyguy Actually, you have to delete the flarum_session and flarum_remember cookies and also add the flarum_logout cookie: maicol07/flarum-sso-php-pluginblob/145302cb83366d108df8386f4063c8c4526777d7/src/Traits/Cookies.php#L55

Spookyguy

maicol07 Which value needs to be set in the cookie flarum_logout ?

document.cookie = 'flarum_logout=???; Path=/; Expires=Thu, 11 Jun 2024 00:00:01 GMT;'

Additionally flarum seems to set a new cookie flarum_session on reloading after my Angular client deleted it.

Spookyguy

maicol07 I found out, that the cookies Flarum sets are not in the document.cookie of my Angular application, so i cannot delete the cookie flarum_session this way. How can i delete this cookie?

maicol07

Spookyguy maybe you can delete it with a server response (I assume NodeJS)

NewUser

@maicol07 I am trying to set SSO and am running into an issue where the returned user after
$flarum_user = $flarum->user($username);
has the correct id from the user table but does not have the nickname and email attributes filled in.

Calling $flarum_user->login(); later fails but I don't see any errors.

maicol07

NewUser that's strange, do you have the "Nicknames" extension enabled? (to see nicknames).
For the email issue that's very strange. Does it return it from the API?

ryan-moca I need more insights/stack traces to understand where you are getting the issue.

Jackal what do you mean by "third-party provider"?

Sorry all for the late replies, I didn't receive the emails

ryan-moca

Hi, Thanks for this wonderful plugin.

Can you please direct me on how to resolve this issue?
array_key_exists(): Argument #2 ($array) must be of type array, null given

This is happening when creating a new user? Thanks.

Jackal

So I installed the extension successfully. Do I still need a Third-Party Provider to make it work and be able to set up the JWT Addon settings?

NewUser

@maicol07 Yes I do have Nicknames enabled

maicol07

NewUser can you try to debug the requests, maybe by manually printing what's the response in the code?

junaid Hi, do you mean the Flarum extension or the addon for the main auth system? In the first case, it's simply a flarum extension you install with Composer like any other extension you may have installed. You have to install the package with Composer for the main auth system and then call the methods in your login and signup procedures in the docs. Unfortunately, I can't make a video tutorial since every authentication system is different, and it probably won't be helpful.

junaid

@maicol07, can you create a video tutorial on installing this package?

I have a PHP app (MVC architecture) with a simple login system. I have installed flarum on a subdirectory "/community".

I've been trying to integrate SSO for days now, but I can't do it.

Hope you can help

« Previous Page