如何在服务器端获取的SSO用户登录Meteor帐户包? [英] How do I sign-in a server-side acquired SSO user into the Meteor Accounts package?
问题描述
使用 Meteor , coffeescript 和 iron-router ,我从SAML身份提供商(IdP)成功获取用户。
Using Meteor, coffeescript and iron-router, I am successfully acquiring a user from a SAML Identity Provider (IdP).
如何使用这些用户详细信息通过Meteor帐户包登录用户?
How can I use these user details to sign-in the user via the Meteor Accounts package?
以下服务器端路由:
Router.route '/sso/saml2', where: 'server', name:'ssoSaml'
.get ->
@response.writeHead 302, 'Location': saml.getRequestUrl()
@response.end()
.post ->
{secret:{password, email}, profile, state} = saml.getProfile @request.body.SAMLResponse
user= Meteor.users.findOne {'profile.domainId': profile.domainId}
userId = if user? then user._id else Accounts.createUser {password, email, profile}
# I have the user id - How do I sign the user in?
@response.writeHead 302, 'Location': "#{state.location}"
@response.end()
过程如下:
- GET路由将浏览器重定向到IdP end-指向适当生成的
SAMLRequest。 - IdP处理
SAMLRequest,并向POST路径返回SAMLResponse。
- 处理
SAMLResponse返回用户的秘密字段,public配置文件和包含原始请求的位置的状态对象 - 独特的不可变的
profile.domainId用于从Meteor用户 - 如果没有
用户存在,则创建一个新的
- The GET route redirects the browser to the IdP end-point with an appropriately generated
SAMLRequest. - The IdP processes the
SAMLRequestand returns aSAMLResponseto the POST route. - The
SAMLResponseis processed returning the user'ssecretfields, publicprofileand astateobject containing the originally requestedlocation - The unique, immutable
profile.domainIdis used to retrieve the user from the Meteorusercollection - If no
userexists a new one is created.
在这个过程的最后,我有用户详细信息,我知道用户存在于 Meteor.users 集合中。
At the end of this process I have the user details and I know the user exists in the Meteor.users collection. To finish I need to sign-in the user and redirect to the originally requested location.
如何登入该使用者?
推荐答案
最终,设置用户的登录调用必须由客户端代码。
Ultimately, the login call that sets the user must be made from client code.
-
定义登录令牌的集合:
Define a collection for login tokens:
@LoginTokens = new Mongo.Collection 'loginTokens'
使用原始服务器端路由,但为客户端创建一次性登录令牌
Use your original server-side routes, but create a one-time login token for the client to use to log in, then redirect to a client route, passing the token.
Router.route '/sso/saml2', where: 'server', name:'ssoSaml'
.get ->
@response.writeHead 302, 'Location': saml.getRequestUrl()
@response.end()
.post ->
{secret:{password, email}, profile, state} = saml.getProfile @request.body.SAMLResponse
user= Meteor.users.findOne {'profile.domainId': profile.domainId}
userId = if user? then user?._id else Accounts.createUser {password, email, profile}
tokenId = LoginTokens.insert { userId, expires: +(new Date)+tokenExpirationInMilliseconds }
@response.writeHead 302, 'Location': "/sso/login/#{tokenId}?loc=#{state.location}"
@response.end()
在服务器上注册接受并验证登录令牌的自定义登录处理程序:
Register a custom login handler on the server accepting and validating a login token:
Accounts.registerLoginHandler ({tokenId})->
{userId} = LoginTokens.findOne tokenId or {}
return {userId} if userId?
在接收登录令牌的客户端路由的客户端上调用此处理程序,但请确保参数匹配此奇怪签名(注意数组):
Call this handler on the client in your client-side route that receives the login token, but make sure the arguments match this strange signature (notice the array):
Router.route '/sso/login/:tokenId', ->
{tokenId, query} = @params
Accounts.callLoginMethod
methodArguments: [{tokenId}]
userCallback: ->
Router.go if query?.loc? then query.loc else '/'
最后,在服务器上定期创建一个作业清除已过期的令牌:
Finally, create a job on the server that regularly clears expired tokens:
Meteor.setInterval ->
LoginTokens.remove { expires: { $lte: +(new Date) } }
, 1000
**注意:请务必在调用登录时传递一个包含登录标记的对象作为methodArguments数组中的元素方法,此外,在登录处理程序中,使用 userId 属性返回对象,其值为用户的用户ID,预期的签名。
** Note: be sure to pass an object containing the login token as the element in the methodArguments array when calling your login method, Also, in the login handler, return an object with the userId property whose value is the user id for your user, in order to match the expected signatures.
这篇关于如何在服务器端获取的SSO用户登录Meteor帐户包?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
