HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

SSO jsConnect + embedded - struggeling

Hey guys,

so I tried to set up sso with jsConnect-plugin in embedded mode. Testing the connection is a success but when I press the button "log in with username" (so that's the sign at least recognition of active session works) it says "invalid signature". I don't get why it fails. Could someone have a look at my code? I built it up using the official documentation with part 1 and 2.

So first some information:

Embed-Code
vanilla_identifier is empty because when I set a value it only shows comment box. Without whole forum is shown. Don't know what is supposed to be typed in there and why this behaviour occurs.

<div id="mainC">

<div class="container">
        <div id="vanilla-comments"></div>

        <script type="text/javascript">

        /*** Required Settings: Edit BEFORE pasting into your web page ***/

        var vanilla_forum_url = 'http://forum.example.org'; // The full http url & path to your vanilla forum
        var vanilla_identifier = ''; // Your unique identifier for the content being commented on
        var vanilla_sso = '$sso'; // Your SSO string.

        /*** DON'T EDIT BELOW THIS LINE ***/

        (function() {
        var vanilla = document.createElement('script');
        vanilla.type = 'text/javascript';
        var timestamp = new Date().getTime();
        vanilla.src = vanilla_forum_url + '/js/embed.js';

        (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(vanilla);
        })();

        </script>
    </div>

</div>

sso-generation script (shortened), calls the html code above after completion, so $sso is avaiable for the html-template

$my = $myObj->userData;

define('CLIENTID','***censored***'); // shared (public) client id, set in vanilla
define('SECRET','***censored***'); // shared (not public) secret, set in vanilla

function getStr2Hex($sString)
{
    $sHex = '';
    for ($i=0; $i < strlen($sString); $i++)
    {
        $sHex .= dechex(ord($sString[$i]));
    }
    return $sHex;
}

if($my['loggedin']===true)
{
    $user               = array('email'=>$my['email'],'name'=>$my['name'],'photourl'=>'','uniqueid'=>$my['id'],'client_id'=>CLIENTID);
    //"roles": "member,administrator", // OPTIONAL. You can configure jsconnect to synchronise roles
    $userJson           = json_encode($user);
    $userBase64         = base64_encode($userJson);
    $signatureString    = getStr2Hex($userBase64);

    $timestamp = time();
    $signature = hash_hmac('sha1',$signatureString.' '.$timestamp,SECRET);

    $sso = $signatureString.' '.$signature.' '.$timestamp.' hmacsha1';
}

So any idea why I get "invalid signature"? If you ask me I programmed it exactly as it is explained in the documentation.

Comments

  • hgtonighthgtonight ∞ · New Moderator

    Welcome to the community!

    Where is the documentation you are looking at?

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • hgtonighthgtonight ∞ · New Moderator
    edited May 2015

    Vanilla offers libraries for PHP, Ruby, Java, and .NET (source). Since you are using PHP, you should use the jsConnectPHP library available here: https://github.com/vanilla/jsConnectPHP

    There is a sample usage in the index.php file.

    EDIT - I just realized it says these libraries don't support embedded SSO. Have you already tried the PHP library?

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • I tried it yesterday and came to the same conclusion - didn't work for the case sso+embedded. I thought the documentation would solve every problem but for some reason it won't work properly. In testmode (JsConnect-Plugin -> test mode) everything is fine. I think my setup is right but for some reason the signature is not accepted. I checked it 3 times, 4 times, 5 times...I don't know whats wrong with my script.

  • So finally I made it now. Main reason was my fault - email was not avaiable in the $my object. I had to call a special method to load additional information - email included.

    I think it's very useful for others to know that a missing element of the user array will result in signature errors.

    As I searched for examples and solutions I came along this: http://vanillaforums.org/discussion/26436/implementing-sso-using-jsconnect-1-4-1-with-vanilla-2-0-18-10-part-i

    I tried using as suggested:

    JsSSOString($user,CLIENTID,SECRET);

    Didn't do anything so I tried

    $sso = JsSSOString($user,CLIENTID,SECRET);

    Made it for me. So there is in fact a function to generate the SSO string for embedded forums. Hope this helps someone.

    Thanks for helping me anyways! :)

    hgtonightLincxDaizu
  • hgtonighthgtonight ∞ · New Moderator

    Nice job getting it working!

    Thanks for posting back with your solution.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Strange...I made a fresh installation with the newest package (security fix), set up JSConnect and embedded mode, changes client-id and secret but it's broken now...

    Well, I think I crashed it without knowing why. More grey hair growing now...

    xDaizu
  • Works again, Vanilla had a problem signing me in since e-mail of installation admin account and my own backend account were the same. As I tried to sign in manually I was offered to connect the accounts which I did and now it's working again as supposed.

    hgtonight
Sign In or Register to comment.