如何将服务器端获得的SSO用户登录到Meteor Accounts包中？

Question

Using Meteor , coffeescript and iron-router , I am successfully acquiring a user from a SAML Identity Provider (IdP).

How can I use these user details to sign-in the user via the Meteor Accounts package?

Consider the following server-side routes:

Router.route '/sso/saml2', where: 'server', name:'ssoSaml'
    .get ->
        @response.writeHead 302, 'Location': saml.getRequestUrl()
        @response.end()
    .post ->
        {secret:{password, email}, profile, state} = saml.getProfile @request.body.SAMLResponse
        user= Meteor.users.findOne {'profile.domainId': profile.domainId}
        userId = if user? then user._id else Accounts.createUser {password, email, profile}
        # I have the user id - How do I sign the user in?
        @response.writeHead 302, 'Location': "#{state.location}"
        @response.end()

The process is as follows:

• The GET route redirects the browser to the IdP end-point with an appropriately generated SAMLRequest .
• The IdP processes the SAMLRequest and returns a SAMLResponse to the POST route.
• The SAMLResponse is processed returning the user's secret fields, public profile and a state object containing the originally requested location
• The unique, immutable profile.domainId is used to retrieve the user from the Meteor user collection
• If no user exists a new one is created.

At the end of this process I have the user details and I know the user exists in the Meteor.users collection. To finish I need to sign-in the user and redirect to the originally requested location.

How do I sign-in the user?

Answer 1

Ultimately, the login call that sets the user must be made from client code.

1. Define a collection for login tokens:

    @LoginTokens = new Mongo.Collection 'loginTokens' 

2. Use your original server-side routes, but create a one-time login token for the client to use to log in, then redirect to a client route, passing the token.

    Router.route '/sso/saml2', where: 'server', name:'ssoSaml' .get -> @response.writeHead 302, 'Location': saml.getRequestUrl() @response.end() .post -> {secret:{password, email}, profile, state} = saml.getProfile @request.body.SAMLResponse user= Meteor.users.findOne {'profile.domainId': profile.domainId} userId = if user? then user?._id else Accounts.createUser {password, email, profile} tokenId = LoginTokens.insert { userId, expires: +(new Date)+tokenExpirationInMilliseconds } @response.writeHead 302, 'Location': "/sso/login/#{tokenId}?loc=#{state.location}" @response.end() 

3. Register a custom login handler on the server accepting and validating a login token:

    Accounts.registerLoginHandler ({tokenId})-> {userId} = LoginTokens.findOne tokenId or {} return {userId} if userId? 

4. Call this handler on the client in your client-side route that receives the login token, but make sure the arguments match this strange signature (notice the array):

    Router.route '/sso/login/:tokenId', -> {tokenId, query} = @params Accounts.callLoginMethod methodArguments: [{tokenId}] userCallback: -> Router.go if query?.loc? then query.loc else '/' 

5. Finally, create a job on the server that regularly clears expired tokens:

    Meteor.setInterval -> LoginTokens.remove { expires: { $lte: +(new Date) } } , 1000 

** Note: be sure to pass an object containing the login token as the element in the methodArguments array when calling your login method, Also, in the login handler, return an object with the userId property whose value is the user id for your user, in order to match the expected signatures.