HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanille 3.2 embed SSO not working


I'm having some trouble while upgrading my old v2 forum to v3. I'm embedding the forum in a parent website, and I'm using the SSO attribute to handle authentiction. I haven't been able to get it to work though.

My sso string looks like this: eyJ1bmlxdWVpZCI6MSwibmFtZSI6ImRhZWRlbG90aCIsImVtYWlsIjoidGhpanNAY2F0bGFiLmJlIiwicGhvdG91cmwiOiIiLCJjbGllbnRfaWQiOiJjYXRsYWJpbnRlcmFjdGl2ZSJ9 30af6b32bfecxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1572261940 hmacsha1

(signature redacted)

I'm using easyXDM for the embedding, and I'm setting the parameter like this:

var options = {
    root : 'https://forum.catlab.eu/',
    sso : ssoString,
    initialPath: '/categories/quizwitz',
    notifyLocation: function( ) {


var container = $(this.el).find ('.loungecontainer').get (0);
options.container = container;


It embeds fine, but the user is not authenticated. The client id and password are set correctly.

Any tips on how to debug this?



  • Options

    Update: apparently it's working fine in Firefox, but for some reason it doesn't work in Chrome. Could it be some kind of security measure?

  • Options
    daedelothdaedeloth New
    edited October 2019

    Update 2: it seems no cookies are ever set.

    Feel free to check it out at https://social.quizwitz.com/lounge

  • Options

    Update 3: I'm very, very confused. On computer A, everything works fine. On computer B, on the same chrome build (Version 78.0.3904.70 (Official Build) (64-bit) authentication doesn't work. I have no idea what could be different between those two situations.

    So not sure if this is an issue or not, maybe someone else has seen a similar issue?

  • Options


    I am suspecting the new SameSite policy for cookies in chrome and firefox is causing these issues. I've set the flags that will ship with chrome 80, and my jsConnect implementation completely stopped working. I expect a lot of implementations will stop working when this feature rolls out, so I think this will have to be looked at.

  • Options

    I've managed to login again (through the regular jsConnect login flow) by setting the session cookie in my sso site to samesite=none, secure and httponly. This way the session cookie is sent through the xhr request that loads the jsconnect string. So far so good. Note that this solution only works on ssl sites (but your sso should be running over ssl anyway)

    However, my embedded (iframe) solution with jsconnect string sent as parameter does NOT work. I expect this is caused by the new cookie policy not allowing the session cookie to be sent over a post request, so when vanilla is doing that redirect while parsing the jsconnect token, I expect the session to be lost.

    I'm pretty sure this will affect a lot of wordpress integrations as well.

Sign In or Register to comment.