Interactive SSO

Interactive SSO authentication flow means it’s triggered by the user and requires them to do something in the popup window that appears. What exactly, depends on the SSO provider being used.

Initiating the flow

The interactive SSO flow is initiated either by clicking the Single Sign-On button in the Login dialog, or immediately upon clicking Login in the profile bar, if SSO is the only available authentication method.

Login redirect

After clicking the SSO login button, the user will be redirected to the SSO URL, enriched with the following two query parameters:

• token, a value consisting of 64 hexadecimal digits representing a user session token, and
• hmac, a value consisting of 64 hexadecimal digits, which is a SHA256 HMAC signature of the token. The signature is created using the shared SSO secret.

Callback endpoint

The SSO identity provider has to authenticate the user and, once succeeded, redirect the user to Comentario’s callback URL (<Comentario base URL>/api/oauth/sso/callback), adding the following two query parameters to it:

• payload — hexadecimal-encoded payload describing the user (see below), and
• hmac — SHA256 HMAC signature of the payload, also created using the shared SSO secret.

Payload

The payload value holds a JSON-formatted user data, providing the following properties:

• token, which must be the same value that was passed during the initial SSO call;
• email, specifying the user’s email address;
• name, providing the user’s full name;
• photo, an optional user avatar URL.

For example:

{
  "token": "0a3577213987d24993ef20d335f7b9769c1d1719b40767c6948d6c3882403a96",
  "email": "johndoe@example.com",
  "name": "John Doe"
}

See also

• SSO authentication
• Single SSO provider for multiple domains
• Non-interactive SSO