SSO Integration

[jaswrks]

---

KB Article Creation Checklist

• [x] Write initial draft for this KB Article; label this issue draft and either questions or tutorials
• [x] Add required YAML configuration
• [x] Add Tags for this KB Article to the YAML config (see YAML Keys (Explained))
• [x] Edit and finalize draft for publishing (remove draft label, add draft-finalized label)
• [x] Assign Issue to yourself and create Markdown file (remove draft-finalized label, add pending)
• [x] Project Lead: Review and Publish KB Article (remove pending label, add published label)

  Additional TODOs

Additional TODO list items go here.

---

:octocat: View Markdown File | :pencil2: Edit Markdown File :page_with_curl: Published KB Article: http://comment-mail.com/kb-article/sso-integration/

---

[kristineds]

@jaswsinc: Love this article! I followed the instructions but I noticed that there was one missing step for the Facebook SSO integration.

Missing step for Facebook SSO Integration article

---

Step 6: Add Callback URL

Click on the Advanced Tab and look for the OAuth settings section. You will be asked for a Callback URL, which you can obtain from your Comment Mail™ installation via the WP Dashboard.

[jaswrks]

@kristineds writes...

Missing step for Facebook SSO Integration article

Did you find this was necessary in order to complete the integration? I'm curious to know if you had trouble getting this to work without that step, because as far as I know, this is not absolutely necessary; i.e., you can leave this blank and still be OK.

[kristineds]

Did you find this was necessary in order to complete the integration?

Agree. It works fine without it. i.e. I can still log in using my FB account to reply to the comment. But I saw that note on the field, warning users on the app being open to redirect attacks, that's why I added it. If it is unnecessary, then we could just go ahead and skip this step. :)

[jaswrks]

Copy that. Thank you. I will leave this open. I think setting this up is a very good idea, even though it is technically unnecessary. In the article we can add a section that explains what these redirects do and offer the suggestion that you should set this up for each of the SSO services at some point later.

[jaswrks]

Noting that in most cases, setting the oAuth redirect URI to the root domain of your site is enough to prevent the possibility of anything out of the ordinary; e.g., setting the redirect URI to: http://example.com/ will allow for any redirect that returns to that domain, regardless of the final URL.

[kristineds]

@jaswsinc @raamdev : The screenshots provided on the tutorial for Google SSO Integration needs to be updated as the UI on the Google Developer Console dashboard has been changed recently and this might be confusing for our customers.

NOTE: The KB article has been updated with these changes. http://comment-mail.com/kb-article/sso-integration/

[raamdev]

@kristineds Reviewed. Thank you for updating that! :-)

---

TODO

@jaswsinc writes ↑ in https://github.com/websharks/comment-mail-kb/issues/8#issuecomment-115827081...

In the article we can add a section that explains what these redirects do and offer the suggestion that you should set this up for each of the SSO services at some point later.

[RealDavidoff]

Status April 2018: Google SSO works, Twitter and Facebook cannot get to work though. Twitter: they changed sth for oauth, their kb refers to https://github.com/twitter/twurl, don't know if that helps? Fact is, we have tried every possible combination, an entire day, even adding the "access token and secret" instead of the "consumer key and secret", regenerated consumer key and secret, changed permissions, recreated a new app multiple times, and on and on. Nothing got Twitter SSO to work. Error always is: "Whoa there! The request token for this page is invalid.." Google wasn't actually helpful, despite that it links to tons of references on this.

Facebook: We spent another entire day trying to solve facebook sso, but not working. Hours after hours of wading through possible solutions on google, trying again all suggested combinations of settings, but nothing got working.

Any chance Kristine or Jason could rework this kb page? https://comment-mail.com/kb-article/sso-integration/

[RealDavidoff]

I feel I should add another helpful feedback: Even with google, after successful login, the user is returned to the top of the page on our site. Of course the user should instead be returned to the actual comment form location - which, with dozens or hundreds of comments on the page, avoids that the user gets lost scrooooolling forever.

So my second suggestion on this matter: Allowing CommentMail Plus customers to enter the actual comment form location where to return the user to. The generic commentmail return link, say for google, https://example.com/?comment_mail%5Bsso%5D%5Bservice%5D=google&comment_mail%5Bsso%5D%5Baction%5D=callback does not suffice here, as the user is being returned to the top of the page, always, in our case.

-- Alternatively, customers may be given a function for their functions.php that will take care of the correct return location?

[RealDavidoff]

Before I forget it: https://github.com/websharks/comment-mail/issues/199 "This feature has not been added yet, no. But it's still in the pipeline. :-)"

It seems Jason hasn't looked at Raam's (and 90% of all customers') feature request yet, still?

So we went ahead and after all those years of waiting implemented sso nonetheless, see my 2 contributions above. And as for my first point, part b: facebook, I can report more detail now after googling another 8 hours...

1) facebook's new forced "strict mode" appears to be the reason why fb cannot be set up anymore, and gives the error stated. It cannot be turned off anymore. 2) https://developers.facebook.com/docs/facebook-login/security/#strict_mode scroll down to the key bit: "For apps with dynamic redirect URIs, use the state parameter to pass back the dynamic information to a limited number of redirect URIs. Then add each of the limited redirect URIs to the Valid OAuth redirect URIs list. For apps with a limited number of redirect URIs, add each one to the Valid OAuth redirect URIs list. For apps using only the Facebook SDK, redirect traffic is already protected. No further action is needed."

Of course, there's no way to add thousands of page urls to fb's field "Valid OAuth Redirect URIs"... So I see two possible solutions:

• CommentMail uses the new "state parameter" https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/#logindialog to auto-populate the path after the domain, such that adding the domain into their field suffices.
• Or CommentMail uses their sdk?

Their wording "using ONLY the facebook sdk" seems critical: I tried using their login button code, but it returns the same error as before ("") because I was now using the sdk AND commentmail's fb integration still in the background (which I wouldn't know how to cancel).

I hope all this helps, but I am there if you need more information.