OpenSSO provider
87 views
Skip to first unread message
ericgj
May 8, 2012, 11:50:24 AM5/8/12
to omniauth
I searched for a provider for OpenSSO, but not finding one I took a
stab at implementing it myself. I am new to OmniAuth and don't know
crap about OpenSSO except it's what my company uses for SSO for web
apps, and it seemed the easier route instead of talking directly to
Active Directory (although I may end up doing that instead).
The way OpenSSO works is via tokens set in cookies. After you have the
token you make service calls to determine if the token is valid and to
get back user info. If you don't have the token, you redirect the
brower to a sign-in page with a callback url, which sets the token
(assuming sign-in is valid), and redirects back to the callback
address.
So my request phase looks essentially like this:
def request_phase
if has_valid_token?
redirect callback_url
else
sign_in
end
end
And I have the OpenSSO sign-in redirect back to the request url
(i.e. /auth/opensso), so presumably the second time through,
has_valid_token? returns true and it proceeds to the omniauth
callback.
This all works, but my problem is this. In the omniauth callback, the
application typically sets a session cookie for the signed-in user.
Something like this:
before '/' do
auth!(request.url) unless session[:user]
end
%w[get post].each do |meth|
send(meth, '/auth/opensso/callback') do
session[:user] = env['omniauth.auth'] # simplifying here
redirect to(env['omniauth.origin'] || '/')
end
end
The problem is that it seems that setting a session cookie in the
callback here doesn't make it available to the rest of the application
-- i.e., when it redirects to the origin, there's no session[:user].
My guess is that somehow setting the session[:user] scopes it to the
OpenSSO request, i.e. with the wrong secret ?
Any suggestions or anything obvious I'm missing here?
Thanks,
Eric
stab at implementing it myself. I am new to OmniAuth and don't know
crap about OpenSSO except it's what my company uses for SSO for web
apps, and it seemed the easier route instead of talking directly to
Active Directory (although I may end up doing that instead).
The way OpenSSO works is via tokens set in cookies. After you have the
token you make service calls to determine if the token is valid and to
get back user info. If you don't have the token, you redirect the
brower to a sign-in page with a callback url, which sets the token
(assuming sign-in is valid), and redirects back to the callback
address.
So my request phase looks essentially like this:
def request_phase
if has_valid_token?
redirect callback_url
else
sign_in
end
end
And I have the OpenSSO sign-in redirect back to the request url
(i.e. /auth/opensso), so presumably the second time through,
has_valid_token? returns true and it proceeds to the omniauth
callback.
This all works, but my problem is this. In the omniauth callback, the
application typically sets a session cookie for the signed-in user.
Something like this:
before '/' do
auth!(request.url) unless session[:user]
end
%w[get post].each do |meth|
send(meth, '/auth/opensso/callback') do
session[:user] = env['omniauth.auth'] # simplifying here
redirect to(env['omniauth.origin'] || '/')
end
end
The problem is that it seems that setting a session cookie in the
callback here doesn't make it available to the rest of the application
-- i.e., when it redirects to the origin, there's no session[:user].
My guess is that somehow setting the session[:user] scopes it to the
OpenSSO request, i.e. with the wrong secret ?
Any suggestions or anything obvious I'm missing here?
Thanks,
Eric
ericgj
May 9, 2012, 9:52:59 AM5/9/12
to omniauth
Never mind about this - my Sinatra test app had sessions configured
wrong. So I think it all works now.
I'll clean it up & put up a omniauth-opensso gem soon.
Eric
wrong. So I think it all works now.
I'll clean it up & put up a omniauth-opensso gem soon.
Eric
Rahul Ghose
Feb 11, 2014, 5:20:59 AM2/11/14
to omni...@googlegroups.com
Did you put up the gem? I am trying to do something similar.
Reply all
Reply to author
Forward
0 new messages