Forum Discussion

sdenisov's avatar
13 years ago

Authentication: REST API and SSO

Hi,

 

I've had a look through these forums and I can't see anything that specifies a similar problem.

 

Using asp.net I am completing the following steps during a login process and running into a SSO authentication problem:

 

1) On server (currently just local dev box), Call LithiumSSOClient and receive a HttpCookie containing the token.
2) Use the token contained in the HttpCookie to call the REST API login function, passing it the token. This logs in fine, I get a response and a session key back. I can then make further calls do other rest API methods using this session key.
3) Place the cookie containing the token in the browser.

This is fine, until:

4) user goes to the lithium demo site in the browser: an error message appears "unable to authenticate" in a red box with 5 possible solutions.

 

The strange thing is, if I just call step 1 and 3, and do not try and login via the REST login service, when I visit the lithium site, SSO works just fine.

 

I also notice when we call the rest API, it returns a number of set-cookies in the response. I have tried setting these cookies in the browser before step 4. This stops the authentication failed message, however it does not log the user in either.

 

the lithium site we are using is:

 

http://sydney.demo.lithium.com

 

 

Also, the user we are trying to authenticate is a regular user, not an admin user.

 

Any help or pointers would be much appreciated,

 

Thanks

 

Chris

 

 

 

  • Hi Chris,

     

    SSO Tokens are intended to be used for authentication only once.I would suggest creating separate SSO token: one to be used in the browser, and one to be used for the REST API.

     

    Regards,

     

    Adam

8 Replies

  • AdamN's avatar
    AdamN
    Khoros Oracle
    13 years ago

    Hi Chris,

     

    SSO Tokens are intended to be used for authentication only once.I would suggest creating separate SSO token: one to be used in the browser, and one to be used for the REST API.

     

    Regards,

     

    Adam

  • Hi,

     

    I have the same problem but i dont understand what i must to do for solving it.

    For well understanding, we need to create 2 cookies (or we can call to getLithiumCookieValue() only for the REST API)

    The clientId must be different between the 2 cookies ?

    If we create 2 cookies, how the forum is able to select the right cookie ? (if it select the cookie created for REST API, the token is already consumed)


    Further, there is a relation between the cookie and the ip of the server which create the cookie ? when i create a sso cookie from a configurated server the forum authenticate correctly the user. When i create the cookie from my local pc (127.0.0.1), the cookie is created but the forum does not authenticate the user.

     

    On the stage environnement, there is an option for getting more logs in the http response for getting help for debugging ?

     

    Thanks in advance

    Sylvain

  • sylvain_mouquet's avatar
    sylvain_mouquet
    Guide
    13 years ago

    well i have found the solution for my first problem.

    I create the SSO token for the REST API and then i create the SSO token for the browser and not the inverse

  • sdenisov's avatar
    sdenisov
    Adept
    13 years ago

    Hi Sylvian,

     

    yes, for your first problem, you must generate the cookie value, and give this to the REST api call. You can store this value anywhere, to retrieve for later rest api call.

     

    You must then generate another cookie, and store this in the browser, this will be used for SSO. This must be different to the first cookie.

     

    for your second problem - "Further, there is a relation between the cookie and the ip of the server which create the cookie ? when i create a sso cookie from a configurated server the forum authenticate correctly the user. When i create the cookie from my local pc (127.0.0.1), the cookie is created but the forum does not authenticate the user."

     


    I beleive lithuim will validate which IP the cookie came from if you are trying to SSO with an admin user, or a user with elevated privilages. If you try with a regular user, it should not perform the IP check. Have you tried testing with a regular user?

  • Yes i have tried with a regular user.

    When i create the SSO cookie from localhost and i go to my lithium forum i am redirected to : /t5/errors/FilterErrorHandlerPage

    and when i refresh the page i have this error : "Identifiant de l'exception : 57487A65"

     

    Cordially,

    Sylvain

  • sylvain_mouquet's avatar
    sylvain_mouquet
    Guide
    13 years ago

    Well i have found the problem...

    The date defined in the BIOS of my computer was today + 1. The date was in the future :smileyembarrassed:

    The SSO token generator need a valid date.