Skip to content

Feature | Integrate auto-login at legacy.openstack.org by checking www.openstack.org localStorage #394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 26 commits into
base: master
Choose a base branch
from
Open

Feature | Integrate auto-login at legacy.openstack.org by checking www.openstack.org localStorage #394

wants to merge 26 commits into from
+837 −98

Conversation

@matiasperrone-exo
Copy link
Contributor

@matiasperrone-exo matiasperrone-exo commented Sep 10, 2025
edited
Loading

Summary

Task request:

repo

https://github.com/OpenStackweb/openstack-org

We want users that are already authenticated at the shell app (www.openstack.org) to be automatically recognized and logged in when they navigate to legacy.openstack.org (SilverStripe 2.x). Since both apps are reverse-proxied under the same origin (www.openstack.org), the legacy pages can read localStorage values set by the shell.

  1. On initial page load, legacy should run a JS bootstrap that:

Reads localStorage.authinfo (accessToken, idToken, expiresIn, etc.).

Skips if no token or if expired.

Posts the tokens to a new secure endpoint on legacy (POST /oidc/session/bootstrap).

if return 204 reload the page to reflect login state.

2. Server Endpoint (/oidc/session/bootstrap)

Accepts only POST JSON requests with:

Authorization: Bearer header.

X-CSRF-Token header (double-submit cookie).

Validates the access token via IdP (JWT signature / introspection).

Maps a SilverStripe Member.

Calls $member->logIn() and rotates session ID.

Responds with 204 No Content on success.

dev notes

  • server endpoint should implement an instrospection request to IDP so we should need a new resource server at idp config

check here for reference https://github.com/OpenStackweb/summit-api/blob/ce76543fe712e7f20e10752470aebf0792c64b90/app/Models/ResourceServer/AccessTokenService.php#L134

  • Endpoints enforce CSRF (double-submit cookie), same-origin (Origin/Referer + Sec-Fetch-Site), POST + JSON only, no CORS.

  • Feature is behind SHELL_SSO_BOOTSTRAP_ENABLED. feature flag

Changes

Testing

Related Issues

@matiasperrone-exo matiasperrone-exo self-assigned this Sep 10, 2025
@matiasperrone-exo matiasperrone-exo deleted the feature/integrate-auto-login-at-legacy-by-checking-localstorage branch September 11, 2025 14:45
@matiasperrone-exo matiasperrone-exo restored the feature/integrate-auto-login-at-legacy-by-checking-localstorage branch September 11, 2025 14:45
smarcet
smarcet reviewed Sep 12, 2025
View reviewed changes
smarcet
smarcet reviewed Sep 12, 2025
View reviewed changes
smarcet
smarcet requested changes Sep 12, 2025
View reviewed changes
Copy link
Contributor

@smarcet smarcet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matiasperrone-exo please review comments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smarcet smarcet Awaiting requested review from smarcet

Assignees

@matiasperrone-exo matiasperrone-exo

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matiasperrone-exo @smarcet