I'm working on a plugin for a client that lets us do Single Signon in a greatly simplified way.
All the content is private, only registered users can read anything and our client only registers users for their clients. I need to support a dashboard that pulls content from a number of their web apps into one place. The user logs into the dashboard and then we start doing all sorts of ajax to fetch data and render it. Since the content I'm pulling requires WP authentication and I do NOT like passing username/passwords around I came up with this plugin (its the relevant code in a gist).
The way it works right now is this:
- The user logs in to our dashboard.
- The server takes the user's WP credentials that it has stored and posts them, along with a redirect URL (say /) to index.php?sso=!
- The WP plugin does some cryptographic jiggery pokery and returns the URL /index.php?sso=SOMREaLLYLongBase64EncodedURLString that is an encrypted JSON string.
- The returned URL is sent to the browser
- When the browser requests the URL, the plugin decrypts and decodes the string into an object, the validity of the token is verified (by recalculating the signature) and creating the session if its valid
All of this works, except for a few things that are preventing me from being truly happy.
- Instead of encoding a redirect URL into the token I want to be able to use add token on any request so that I could request any number of urls and have them authenticated. I think that's really just a matter of NOT posting a redirect URL originally, not echoing the JSON string and calling
- Right now, it seems that I'm bypassing the cookie authentication, at least in my testing, the token would be validated regardless of whether or not a valid session existed. I'm OK with that, if the username changes, but always "recreating" the session meant that i have to set very long expiry on my token, and I'm not sure I want to do that
- I'd prefer to use a custom URI for the initial post (like /sso/create) rather than what I have. I tried a few things, following some tutorials I found online but nothing seemed to work.
Does anyone have any suggestions?
I know there is probably some bad mojo in there (I already know I need to add options for timeout and stuff but I either stripped that out to avoid cluttering the question too much). I also know that I'm not actually encrypting stuff. The problem is that I used vagrantpress to get a dev environment up and mcrypt wasn't setup and I'm not currently sure my client has it so in the interest of getting the Beta test running, I cheated ;)