snowdrift/tasks
12
1

Add a sanity check test for discourse SSO #9

Open
opened 2017年04月16日 23:31:32 +02:00 by snowdriftimport · 5 comments
snowdriftimport commented 2017年04月16日 23:31:32 +02:00 (Migrated from gitlab.com)
Copy link

Using the literal values from the spec, at https://meta.discourse.org/t/official-single-sign-on-for-discourse/13045, under "Real World Examples", pasted in here for posterity:

Real world example:
Given the following settings:
Discourse domain: http://discuss.example.com
SSO url : http://www.example.com/discourse/sso
SSO secret: d836444a9e4084d5b224a60c208dce14
Email validated: No (add require_activation=true to the payload)
User attempt to login
Nonce is generated: cb68251eefb5211e58c00ff1395f0c0b
Raw payload is generated: nonce=cb68251eefb5211e58c00ff1395f0c0b
Payload is Base64 encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=\n
Payload is URL encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D%0A
HMAC-SHA256 is generated on the Base64 encoded Payload: 2828aa29899722b35a2f191d34ef9b3ce695e0e6eeec47deb46d588d70c7cb56
Finally browser is redirected to:
http://www.example.com/discourse/sso?sso=bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D%0A&sig=2828aa29899722b35a2f191d34ef9b3ce695e0e6eeec47deb46d588d70c7cb56
On the other end
Payload is validated using HMAC-SHA256, if the sig mismatches, process aborts.
By reversing the steps above nonce is extracted.
User logs in:
name: sam
external_id: hello123
email: test@test.com
username: samsam
require_activation: true
Unsigned payload is generated:
nonce=cb68251eefb5211e58c00ff1395f0c0b&name=sam&username=samsam&email=test%40test.com&external_id=hello123&require_activation=true
order does not matter, values are URL encoded
Payload is Base64 encoded
bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGImbmFtZT1zYW0mdXNlcm5hbWU9\nc2Ftc2FtJmVtYWlsPXRlc3QlNDB0ZXN0LmNvbSZleHRlcm5hbF9pZD1oZWxsbzEyMyZyZXF1aXJl\nX2FjdGl2YXRpb249dHJ1ZQ==\n
Payload is URL encoded
bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGImbmFtZT1zYW0mdXNlcm5hbWU9%0Ac2Ftc2FtJmVtYWlsPXRlc3QlNDB0ZXN0LmNvbSZleHRlcm5hbF9pZD1oZWxsbzEyMyZyZXF1aXJl%0AX2FjdGl2YXRpb249dHJ1ZQ%3D%3D%0A
Base64 encoded Payload is signed
1c884222282f3feacd76802a9dd94e8bc8deba5d619b292bed75d63eb3152c0b TODO update example - this is not correct signature
Browser redirects to:
http://discuss.example.com/session/sso_login?sso=bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGImbmFtZT1zYW0mdXNlcm5hbWU9%0Ac2Ftc2FtJmVtYWlsPXRlc3QlNDB0ZXN0LmNvbSZleHRlcm5hbF9pZD1oZWxsbzEyMyZyZXF1aXJl%0AX2FjdGl2YXRpb249dHJ1ZQ%3D%3D%0A&sig=1c884222282f3feacd76802a9dd94e8bc8deba5d619b292bed75d63eb3152c0b
Using the literal values from the spec, at https://meta.discourse.org/t/official-single-sign-on-for-discourse/13045, under "Real World Examples", pasted in here for posterity: ``` Real world example: Given the following settings: Discourse domain: http://discuss.example.com SSO url : http://www.example.com/discourse/sso SSO secret: d836444a9e4084d5b224a60c208dce14 Email validated: No (add require_activation=true to the payload) User attempt to login Nonce is generated: cb68251eefb5211e58c00ff1395f0c0b Raw payload is generated: nonce=cb68251eefb5211e58c00ff1395f0c0b Payload is Base64 encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=\n Payload is URL encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D%0A HMAC-SHA256 is generated on the Base64 encoded Payload: 2828aa29899722b35a2f191d34ef9b3ce695e0e6eeec47deb46d588d70c7cb56 Finally browser is redirected to: http://www.example.com/discourse/sso?sso=bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D%0A&sig=2828aa29899722b35a2f191d34ef9b3ce695e0e6eeec47deb46d588d70c7cb56 On the other end Payload is validated using HMAC-SHA256, if the sig mismatches, process aborts. By reversing the steps above nonce is extracted. User logs in: name: sam external_id: hello123 email: test@test.com username: samsam require_activation: true Unsigned payload is generated: nonce=cb68251eefb5211e58c00ff1395f0c0b&name=sam&username=samsam&email=test%40test.com&external_id=hello123&require_activation=true order does not matter, values are URL encoded Payload is Base64 encoded bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGImbmFtZT1zYW0mdXNlcm5hbWU9\nc2Ftc2FtJmVtYWlsPXRlc3QlNDB0ZXN0LmNvbSZleHRlcm5hbF9pZD1oZWxsbzEyMyZyZXF1aXJl\nX2FjdGl2YXRpb249dHJ1ZQ==\n Payload is URL encoded bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGImbmFtZT1zYW0mdXNlcm5hbWU9%0Ac2Ftc2FtJmVtYWlsPXRlc3QlNDB0ZXN0LmNvbSZleHRlcm5hbF9pZD1oZWxsbzEyMyZyZXF1aXJl%0AX2FjdGl2YXRpb249dHJ1ZQ%3D%3D%0A Base64 encoded Payload is signed 1c884222282f3feacd76802a9dd94e8bc8deba5d619b292bed75d63eb3152c0b TODO update example - this is not correct signature Browser redirects to: http://discuss.example.com/session/sso_login?sso=bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGImbmFtZT1zYW0mdXNlcm5hbWU9%0Ac2Ftc2FtJmVtYWlsPXRlc3QlNDB0ZXN0LmNvbSZleHRlcm5hbF9pZD1oZWxsbzEyMyZyZXF1aXJl%0AX2FjdGl2YXRpb249dHJ1ZQ%3D%3D%0A&sig=1c884222282f3feacd76802a9dd94e8bc8deba5d619b292bed75d63eb3152c0b ```
snowdriftimport commented 2017年06月03日 22:39:54 +02:00 (Migrated from gitlab.com)
Copy link

changed title from Make a sanity check for discourse using the literal values from the spec to Make a sanity check for discourse{+,+} using the literal values from the spec

By Bryan on 2017年06月03日T20:39:54 (imported from GitLab project)

changed title from **Make a sanity check for discourse using the literal values from the spec** to **Make a sanity check for discourse{+,+} using the literal values from the spec** *By Bryan on 2017年06月03日T20:39:54 (imported from GitLab project)*
snowdriftimport commented 2017年06月03日 22:39:54 +02:00 (Migrated from gitlab.com)
Copy link

changed the description

By Bryan on 2017年06月03日T20:39:54 (imported from GitLab project)

changed the description *By Bryan on 2017年06月03日T20:39:54 (imported from GitLab project)*
iko commented 2021年07月13日 02:45:44 +02:00 (Migrated from gitlab.com)
Copy link

changed the description

changed the description

changed title from {-Make-} a sanity check for discourse{-, using the literal values from the spec-} to {+Add+} a sanity check {+test +}for discourse{+ SSO+}

changed title from **{-Make-} a sanity check for discourse{-, using the literal values from the spec-}** to **{+Add+} a sanity check {+test +}for discourse{+ SSO+}**

changed the description

changed the description
Sign in to join this conversation.
No Branch/Tag specified
master
master-pre-reset
v0.1.4
v0.1.3
v0.1.2
v0.1.1
release-0.1.0.1
Labels
Clear labels
Blocked
Confidential
We track some issues in a private repo, typically when they contain personal information. In the interest of transparency (and ease of tracking for us), we also keep a stub here in the public issues.
design
Visual design and assets
dev
dev/frontend

Archived

docs
Documentation
finances
Management of financial accounts; Grants and other funding sources
good first issue
Issues that do not require in-depth understanding of background or code
governance
Organisational structure and bylaws
legal
Legal terms, policies and documents
needs-info

Archived

ops
Operations
outreach
Community messaging and recruitment
product/blog
For the blog / Ghost
product/crm
For the CRM / CiviCRM
product/elm-site
Relates to https://codeberg.org/snowdrift/elm-website
product/forum
For the forum / Discourse
product/wiki
product/yesod-site
Relates to https://codeberg.org/snowdrift/snowdrift
research
Research, reference materials and studies
security
Issues about authorisation and authentication
type
bug
Broken feature or regression
type
chore
Housekeeping
type
feature
New feature or functionality
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
snowdrift/tasks#9
Reference in a new issue
snowdrift/tasks
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?