Yet another SSO with JS Connect, Node.js React

Gavinator

Hello,

First, let me say I have spent about two work days attempting this, and I have read just about every single post about jsConnect. I know this integration is not been easy for most, and it would appear their documentation is just purely lacking, almost as if they want people to pay! Either my implementation is wayyyy off, or I am missing a simple step.

I have setup JsConnect with the following config.

authUrl = http://127.0.0.1:4445/request-token-vanilla

signInUrl = http://localhost:3000/login?Target={target}

my request-token-vanilla endpoint lives on my node server where I handle authentication for my regular react website. I do not understand the connection or intended flow specifically with Vanilla sso.

I have tested my server endpoint (request-token-vanilla) via the dashboard test, to receive the correct jsonp data, per vanilla's requirements. For example, I can use the test link to log in, with dummy data that I manually enter into the signed response, at http://127.0.0.1:4445/request-token-vanilla.

What I don't understand is how I can make the connection, or redirect back to vanilla after logging someone in from my http://localhost:3000/login?Target={target} react website.

When a user clicks login from vanilla, it redirects to my react site, once logged in via my node server, how do I send them back to the forums without vanilla calling my server endpoint again, but that would be an independent call from the login. Am I supposed to call something like myforums/sso?

I am confused.

Gavinator

Also, my target url is this "https://dev.vanilla.localhost/entry/jsconnect?client_id=344681643&Target=%2Fdiscussions"

donshakespeare

Yes, myforums/sso

Gavinator

https://open.vanillaforums.com/discussion/comment/260101#Comment_260101

And do I attach any user information back into that call?

Gavinator

So, I think I may have cracked my problem. I'm unsure on full security yet, but in case anyone else is wondering how I solved it.

1. User clicks 'sign in with...'
2. Redirects to my react website (NOTE: with the mysite.com/login?target={a redirect back to vanilla forums.}.
3. User logs in with my react websites credentials.
4. Call my node server and authenticate user.
5. Redirect user myself, back to the target url in step 2, HOWEVER, I attached the username/email with a parameter (so https://dev.vanilla.localhost/entry/jsconnect?client_id=344681643&Target=discussions?username=test@test.com) this redirects back to the vanilla forum, and vanilla forum or jsconnect calls my node authURL ( http://127.0.0.1:4445/request-token-vanilla) that I put in the settings. When it calls this endpoint it also sends along my username parameter, I extract this email, go look them up in my db, send back their username and email.

I don't feel like this is secure enough for a plethora of reasons, and so, I would like someone to chime in. Thanks. Should I send back a userId for privacy? Also, can someone explain why just pasting https://dev.vanilla.localhost/entry/jsconnect?client_id=344681643&Target=discussions?username=test@test.com into the browser doesn't automatically call the authUrl endpoint by vanilla? It only works when a user gets redirected from the forums, I understand this is intent, but 'how'?