XF 2.2 How to use the new 2.2 API for "seamless" SSO with XF

BubbaLovesCheese

Active member
So I'm curious about the new Xenforo API endpoints. Specifically the POST auth/from-session and the POST auth/login-token

It says:
Looks up the active XenForo user based on session ID or remember cookie value. This can be used to help with seamless SSO with XF, assuming the session or remember cookies are available to your page.

Generates a token that can automatically log into a specific XenForo user when the login URL is visited.

Could someone just give me a brief bullet point flow chart on how this might work?

I mean, if I have a seperate website with a user base, can I use these XF APIs to automatically create/login any of my users if the land on the XF URL?
 

Mike

XenForo developer
Staff member
If by "separate website" you mean a separate domain, the from-session system won't be relevant because the cookies will never be available for you. This depends on the cookies being available, which means the same domain (outside of where XF is installed) or a sub-domain (if you have XF's cookies configured to be set across sub-domains). If the cookies are available, you can know whether the user is currently logged into XF (active session) or whether they would be logged in if they visited (via the remember cookie).

The login-token system allows you to redirect a user through XF to log them in as a particular user. This is generally for a situation where you have your own membership system and XF accounts are associated through that. When a user logs into your system, you could generate a login token and redirect them through the special URL, which will log the browser into the specified XF account.
 

BubbaLovesCheese

Active member
Hi. Thanks, yes.

I do have my own membership system, but with XF on a subdomain, on a seperate server.

www.website.com > website with it's own membership system
forum.website.com > XF installation on sub-domain, but hosted from a different server

So would the authentication flow be something like this?
  • User logs in to www.website.com

  • An XF API request is made:
    • GET users/find-name
  • If username exists, then
    • POST auth/login-token
  • And then the user is automatically logged into forum.website.com also.

  • However, if username does not exist, then
    • Is there a create user account endpoint?

Thanks.
 

BubbaLovesCheese

Active member
The login-token system allows you to redirect a user through XF to log them in as a particular user. This is generally for a situation where you have your own membership system and XF accounts are associated through that. When a user logs into your system, you could generate a login token and redirect them through the special URL, which will log the browser into the specified XF account.


So if I understand, we have to redirect the user to a xenforo url passing along the token.... So just a couple more questions....
  1. Is there a way to invalidation a token?
  2. What happens if the user directly accesses the forum? How would we pass a token in that scenario?
  3. Is there a guide to using this?
Thanks!
 
Top