Protocols/WebAPI/Single Sign On to Web Pages

From NINA Wiki
Revision as of 11:30, 26 March 2020 by AD (talk | contribs)
Jump to navigation Jump to search
WebAPI Protocol
Basic
Introduction
Clients
Whimsicals
Host Interaction
Flow
Authentication
Client
WebApp
Other Services
Foodgroups

Many AIM web pages require authentication before they will display protected content. Since the user has already authenticated to use the AIM client, we offer a service that allows the authentication to be transfered from the client to the web page. The API requires an URL be formed using the credentials from clientLogin and the destination URL and then signed. Full documentation can be found at client2web site.

Here is a complete example of the single sign on process:

Step #1 - Form the client2Web URL

Just like startOSCARSession for authentication, client2Web needs an OAuth style URL signing which is described along with clientLogin. URL signing requires the computers clock to be accurate or the use of hostTime returned by clientLogin, parameters are in alphabetical order, and percent-encoding uses upper case characters.

[KEY]
Client key used with clientLogin - for this API the parameter is called devId instead of k
[TOKEN]
URI encoded token extracted from clientLogin
[DESTURL]
URI encoded destination URL to redirect to after establishing web authentication session
[TIME]
The current time in seconds since UNIX EPOCH
$uri = "http://my.screenname.nina.bz/_cqr/login/login.psp";
$queryString = "a=[TOKEN]&destURL;=[DESTURL]&devId;=[KEY]&entryType;=client2Web&ts;=[TIME]";
$hashData= "GET&" . uri_encode($uri) . "&" . uri_encode($queryString);
$digest = hmac_sha256_base64($hashData, $sessionKey);
$url = $uri . "?" . $queryString . "&sig;_sha256=$digest";

Step #2 - Launch a Browser

Using the URL from step one, launch the user's preferred browser with the URL. It is as simple as that.