ericgj
unread,May 8, 2012, 11:50:24 AM5/8/12Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to omniauth
I searched for a provider for OpenSSO, but not finding one I took a
stab at implementing it myself. I am new to OmniAuth and don't know
crap about OpenSSO except it's what my company uses for SSO for web
apps, and it seemed the easier route instead of talking directly to
Active Directory (although I may end up doing that instead).
The way OpenSSO works is via tokens set in cookies. After you have the
token you make service calls to determine if the token is valid and to
get back user info. If you don't have the token, you redirect the
brower to a sign-in page with a callback url, which sets the token
(assuming sign-in is valid), and redirects back to the callback
address.
So my request phase looks essentially like this:
def request_phase
if has_valid_token?
redirect callback_url
else
sign_in
end
end
And I have the OpenSSO sign-in redirect back to the request url
(i.e. /auth/opensso), so presumably the second time through,
has_valid_token? returns true and it proceeds to the omniauth
callback.
This all works, but my problem is this. In the omniauth callback, the
application typically sets a session cookie for the signed-in user.
Something like this:
before '/' do
auth!(request.url) unless session[:user]
end
%w[get post].each do |meth|
send(meth, '/auth/opensso/callback') do
session[:user] = env['omniauth.auth'] # simplifying here
redirect to(env['omniauth.origin'] || '/')
end
end
The problem is that it seems that setting a session cookie in the
callback here doesn't make it available to the rest of the application
-- i.e., when it redirects to the origin, there's no session[:user].
My guess is that somehow setting the session[:user] scopes it to the
OpenSSO request, i.e. with the wrong secret ?
Any suggestions or anything obvious I'm missing here?
Thanks,
Eric