HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

cannot figure out SSO jsConnect & embedded comments


Im doing some PoC to check if vanilla will be good for us.

The first issue Im having is getting to work SSO using embedded comments (we have no interest in the full site).

I think I've followed the instructions, but I cant manage.

here's what I've done so far:

-installed the jsConnect addon

-Configure a new connection using using jsConnect V3

-I added the embedded code into my page (https://success.vanillaforums.com/kb/articles/49-universal-comments)

The comment box seems functional and I can comment, it's the SSO that I cannot manage

-I've added a vanilla_sso string generated as following:

a JSON string with some user information:

 {  "client_id": "5832754", (taken from the jsConnect configuration)

  "uniqueid": "1234567890",

  "name": "santiago",

  "email": "[email protected]",

   "photourl": "http://localhost/photo",


The Java snippet I used for the quick test

#encode json in base64
base64 = new String(Base64.getEncoder().encode(json.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);
#get timestamp
String timestamp = "" + new Date().getTime();
#encrypt using the jsconnect secret as key, input is <base64String= timestamp>
signature = new HmacUtils(HmacAlgorithms.HMAC_SHA_1, secret).hmacHex(base64 + " " + timestamp);
#Concatenate base64String signature timestamp hmacsha1
ssoString = base64 + " " + signature + " " + timestamp + " hmacsha1";

and added that as

var vanilla_sso = '${vanilla.ssoString}';

The comment box loads fine but the button always say "comment as.." and requests a login, so Im clearly not logged in into vanilla. Also, no user is generated.

Im a bit lost of what could I be missing.

The only thing I might have skipped is the authentication URL configuration in the jsConnect configuration, which I left with a dummy url, but AFAIK that is used only for full site integration, not embedded comments.

I've also tried hmac_sha_256 with the same results

I would appreciate any help on what I might be missing.

Thank you


Forgot to mention. Im using vanilla forums Version 2021.009


Sign In or Register to comment.