Allow PyBossa users to sign in from external apps

Scifabric / pybossa

PYBOSSA is the ultimate crowdsourcing framework (aka microtasking) to analyze or enrich data that can't be processed by machines alone.

http://pybossa.com

GNU Affero General Public License v3.0

745 stars 269 forks source link

Allow PyBossa users to sign in from external apps #162

Closed gka closed 10 years ago

gka commented 12 years ago

Imagine that you have a PyBossa server on domain1.com and want to create a PyBossa application frontend on domain2.com. The PyBossa API supports CORS, so it is possible to reach the API from origins other than domain1.com. However, this will only work for anonymous submissions since there's no way to log in from domain2.com.

My suggestion is to use a combination of OAuth and OpenID, as @pudo mentioned before.

gka commented 12 years ago

For the records:

The only exception to the problem described above is the special case where the app lives on a subdomain of the PyBossa instance (say apps.domain1.com). What you need to do is to add the following to your settings_local.py:

# allow subdomains to access the auth cookie
REMEMBER_COOKIE_DOMAIN = '.domain1.com'
SESSION_COOKIE_DOMAIN = '.domain1.com'

This will tell the Flask login manager to make the session cookies accessible from subdomains, too. Then, the external app needs to set up a cross-domain proxy, since POST requests to different domains never transmit cookies. To login, the app needs to append &next=http://apps.domain1.com/ in order to redirect the users back to the app after successful login.

nigini commented 12 years ago

I support this idea and would like to see it (and maybe help it to be) implemented.

pudo commented 12 years ago

strong +1 on this.

teleyinex commented 12 years ago

Hi,

I'm thinking in two possible solutions:

Mozilla Personas
or making PyBossa an OpenID auth service.

Do you have any other idea about how we could implement this?

rufuspollock commented 12 years ago

I think there is (possibly) a simpler solution based on my experience doing a login setup (to github) for Data Explorer (see e.g. this code in boot.js):

In remote app boot an iframe that opens a special page, say, http://mypybossa.com/getApiKeyRemote
getApiKeyRemote requires you to be logged in - so if you are not it will redirect for login
getApiKeyRemote then does:
- window.opener.postMessage(apiKey, window.location)
Meanwhile back in original site code you have window.addEventListener("message", function(evt) { $.cookie('apiKey', evt.data); ... } , false );
you can then used the saved api key for doing all the stuff you need to do

It isn't as secure as proper oauth but it may be simpler and works in pure JS ...

teleyinex commented 11 years ago

See the suggested solution for embedding apps in other sites here #315

teleyinex commented 10 years ago

Closing due to inactivity for two years.