HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Help with API Access from SSO Provider


I hope someone can point me in the right direction:

I have a 2023.003 Forum (my.forum.net) setup with jsConnect SSO to another website (my.portal.net).

Now I want call /api/v2/users/me-counts from my.portal.net to show if they're a new notifications on my.forum.net but I can't wrap my head around the request authentication. I think due to lack in understanding the JWT parts.

When I create a personal Access Token on my.forum.net I can use it easily for an GET request via Ajax e.g. $.get('https://my.forum.net/api/v2/users/me-counts?access_token=<myManuallyGeneratedAccessToken>').

So the setup itself works (whitelisting my.portal.net etc.)

Based on this information I think, that I need to somehow to programmatically create access tokens on my.forum.net, save it somehow to the user on my.portal.net and use it for the GET request.

But since my.portal.net is the SSO Authentication provider can't I create an JWT access token there on the fly and use it to authenticate the request?


  • Options


    I found the flaw in my thoughts.

Sign In or Register to comment.