Domain cookie SSO extension how to implement

glutio

Hi all,

I'm new to Flarum and am exploring how to implement SSO using a domain-wide session cookie. Here’s the setup I am considering:

Main Site (www.example.com): Has a /signin page that sets a domain-wide session cookie (valid for all subdomains of example.com) upon successful login. There's also a /validate endpoint that checks the session cookie and returns 200 OK for valid sessions or 401 Unauthorized for invalid/expired sessions.
Flarum Site (flarum.example.com): Should use the session cookie, already available due to domain-wide scope, to authenticate users. When Flarum frontend calls the backend API the cookie is sent too, so the backend in turn can forward the cookie to the main site’s /validate endpoint to authenticate the session.

I need guidance on integrating this logic with Flarum, please, particularly in scenarios where: If /validate returns 200, the user should be logged into Flarum, and a new user account should be created in the Flarum database if it’s their first login. And I need to redirect users to the main site’s /signin for authentication, and upon returning, the Flarum backend should recognize the set cookie and validate the session. The signout process on Flarum should redirect to the main site’s /signout endpoint, ensuring session termination on both platforms.

From my research on github, I've encountered concepts like Listeners, Controllers, and Middleware in Flarum extensions that implement SSO. Since I don’t require any UI changes (as the login user interface is managed by the main website), my focus is on backend integration for session management.

Could anyone kindly provide insights or examples on how to achieve this? My goal is to manage sessions from a single point, allowing seamless sign-in and sign-out across both the main and Flarum sites.

Thank you for any help or pointers you can provide!

clarkwinkelmann

My WordPress integration extension implements this but it's closed source so I can't share the implementation unfortunately.

I also have this extension that allows to use the Flarum API using a cookie set by the main website https://discuss.flarum.org/d/30632-json-web-token-cookie-login it's a bit different in the way it works but it can give you some ideas.

ctml

Take a look at https://discuss.flarum.org/d/21666-php-and-wordpress-single-sign-on-sso-with-optional-jwt-addon

glutio

Was able to implemet core functionality, full source here. Below is the main logic of the middleware. Will greatly appreaciate comments and/or recommendations as I am very new to the Flarum codebase. Thank you!

    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        // get the user info (if logged in) by forwaring domain cookies to SSO
        $externalSession = $this->getExternalSession($request);
        
        // is $session ever null?
        $session = $request->getAttribute('session');
        
        if ($externalSession) {           
            // get user associated with Flarum token or create new token
            $actor = $this->getActor($session, $request);
            if (!$actor) {
                // find existing or create new user in Flarum and login
                $user = $this->getUser($externalSession);
                $token = SessionAccessToken::generate($user->id);
                $this->auth->logIn($session, $token);
                $actor = $user;
            }
       
            $request = RequestUtil::withActor($request, $actor);
        }
        else {
            // always logout 
            $this->auth->logOut($session);
            
            $request = RequestUtil::withActor($request, new Guest);
        }

        return $handler->handle($request);
    }

Inspired by work of tituspijean here and here

glutio

Released on packagist.org, install composer require glutio/domainsso:*.
Source code

Main scenario is to share login session between main site and forum site.
Example:

SSO url is https://example.com and has login endpoint /api/auth/signin, logout endpoint /api/auth/signout and session endpoint /api/auth/session..
Flarum url is https://flarum.example.com with DomainSSO extension enabled.
The user clicks Log In on the Flarum site and is redirected to https://example.com/api/auth/signin where they log in and a domain-scoped token cookie is generated.
The user is redirected back to Flarum at https://flarum.example.com and the domain-scoped cookie is forwarded to https://example.com/api/auth/session.
If based on the domain-scoped cookie the session is validated (returning session JSON) Flarum logs in the user based on the user's email address (the user is created in Flarum's database on first login).
The user clicks Log Out on the Flarum site and is logged out of Flarum and is redirected to https://example.com/api/auth/signout where the domain-scoped session is terminated.

Double-clicking Log In on the Flarum site pops up a login dialog for local Flarum admin to login to setup or fix the extension's settings.

Initially the the extension is implemented to work with NextAuth.js and expects the session JSON to have a user property:

{
    "user": {
        "name": "John Doe",
        "email": "john.doe@example.com",
        "image": "https://example.com/image.jpg"
    }
}

glutio

Created a Dockerfile to containerize Flarum with DomainSSO extension and read DB settings form the environment in case someone wants to use it as a basis for their own container...