Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.

How to login a q2a user from using another domain? (Single Sign-On / Multiple Logins at once)

+5 votes
125 views
asked Aug 10 in Q2A Core by q2apro
edited Sep 9 by q2apro

Situation: 

  • Running a q2a forum siteQ.com
  • Running a custom website siteB.com with a custom script for user logins. 
  • I want to get rid of the custom login script. Instead I would like to use the table "qa_users" from siteQ.com (q2a forum) for the login handling.
  • I know already that I can access the q2a db and files from siteB.com via external integration

Wanted: 

1. User does his login on siteB.com using table qa_users (works already with external integration)

2. User coming from siteB.com visits siteQ.com which recognizes the user as loggedin.

By the way, you know this login feature from Google and Stackexchange, for instance.


Question: 

How can this be implemented?

.
 

I researched already and found on stackoverflow: 1, 2, 3. But probably there is a simpler way within question2answer.

Q2A version: 1.7.4
commented Aug 11 by q2apro
Yes, full root access and same database.
commented Aug 21 by q2apro
I think the way to achieve this is by using AJAX. I found an example here and will try to test it soon: https://github.com/0k/multidomain-sso

1 Answer

+1 vote
answered Sep 9 by q2apro

To report back what solution I implemented: 

1. Created a plugin that is basically a copy of page login.php (e. g. /externallogin/)

2. Plugin receives parameters (email, encrypted password and form security code) by the URL  

3. Plugin processes login, without any redirect or alike.

4. Plugin uploaded to 2 external forums (that use the same userbase as the main site!)

Now: 

5. Core hack of qa-include/pages/login.php to output the IMG embeds which load our external login scripts (plugin!). We encrypt our password to NOT send it as plain text. It is not 100 % safe but better than plain text! And all my sites are running on HTTPS/SSL. The following code comes after $topath = qa_get('to');

// Q2APRO HACK for Multiple Logins (single sign-on)

// first we must decrypt the password 

$encryption_key = '12345678123456781234567812345678'; // your KEY
$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc'));
$inpassword_encrypted = openssl_encrypt($inpassword, 'aes-256-cbc', $encryption_key, OPENSSL_RAW_DATA, $iv);
$inpassword_encrypted = $inpassword_encrypted . ':' . base64_encode($iv);

// decrypt 
// $parts = explode(':', $inpassword_encrypted);
// $decrypted = openssl_decrypt($parts[0], 'aes-256-cbc', $encryption_key, OPENSSL_RAW_DATA, base64_decode($parts[1]));

$inpassword_encrypted = urlencode($inpassword_encrypted);
$formcode = qa_post_text('code');

// do multiple login requests using image embeds
$output = '
<html>
<head>
<script>
function do_redirect()
{
   window.location="'.$topath.'";
}
</script>
</head>
<body onload="do_redirect()">
<div style="display:none;">
    <img src="//www.myexternalsiteA.com/externallogin?eh='.$inemailhandle.'&p='.$inpassword_encrypted.'&c='.$formcode.'"/> 
    <img src="//www.myexternalsiteB.com/externallogin?eh='.$inemailhandle.'&p='.$inpassword_encrypted.'&c='.$formcode.'"/> 
</div>
</body>
</html>
';

echo $output;
return;

// END HACK


Hope that helps.

There are other ways to achieve single sign on / multiple logins, here are a couple of links that give you some ideas: 

...