These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
 

SSO - How do I get the second server request to work with $.ajax()?

First post
Author
Previous Topic Next Topic
Vex Munda
Anti Enslavement Movement
#1 - 2016-11-12 07:13:33 UTC  |  Edited by: Vex Munda
Hey,

I have been trying to fully login to the SSO (using the jQuery .ajax() function).



The code I am using to make the request for the validation is:


var authorization_code = The recovered code from the url
$("#ajax").click(function(){
    $.ajax('https://login.eveonline.com/oauth/token',{
    type: 'post',
    data: {
        "grant_type":"authorization_code",
          "code":authorization_code
    },
    headers: {
    //NEED TO MAKE THE AUTHORIZATION CODE NOT AVAILABLE TO CLIENT AND USE SERVER
        "Authorization": 'Basic MzFmYjZkM2QxOWY=:bHV5d0g0YkVlVjA5UTBUSQ=='
    },
    dataType: 'jsonp',
    success: function (data) {
        console.info(data);
    }
    });
});


In the browser it shows that it makes this request to the eve server: 

Request URL:https://login.eveonline.com/oauth/token?callback=jQuery31102722618817699143_1478933693943&grant_type=authorization_code&code=OvasfIF_MyrE2o0&_=1478933693944


This request results in a 404 - Not Found. I noticed that it also adds some callback=jQuery311... in the url. This might be causing the issue. Any ideas on how to get this code to work properly?
Blacksmoke16
Imperial Academy
#2 - 2016-11-12 15:27:53 UTC
What is the callback url you have set on the devsite?
Vex Munda
Anti Enslavement Movement
#3 - 2016-11-12 15:51:55 UTC
Blacksmoke16 wrote:
What is the callback url you have set on the devsite?


http://localhost/pathtomyhomepage.html
Blacksmoke16
Imperial Academy
#4 - 2016-11-12 16:03:33 UTC
That's your problem.

You can't have the page redirect to an html page. It should be like a php file or something similar to extract the auth code from the url after signing in then do the POST to verify that code and get a token.
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#5 - 2016-11-12 22:20:37 UTC
https://www.fuzzwork.co.uk/market/viewer2/

It's possible to do entirely in JS.

However, you don't get the refresh token when using this method. So you have 20 minutes of auth.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Vex Munda
Anti Enslavement Movement
#6 - 2016-11-13 13:06:40 UTC
Blacksmoke16 wrote:
That's your problem.

You can't have the page redirect to an html page. It should be like a php file or something similar to extract the auth code from the url after signing in then do the POST to verify that code and get a token.


This is after extracting the auth code from the redirect (the html file has some javascript in it that does that). It is the POST request that causes the issue.
Vex Munda
Anti Enslavement Movement
#7 - 2016-11-14 02:46:41 UTC
Ok, I am getting really close to getting the SSO to work! Actually I did manage to get my first access_token. But...I am not quite there yet. I had to disable something called CORS (Cross-Origin Resource Sharing) in my browser. Disabling this is a major security breach to browsers and thus not an option. What am I supposed to do to resolve this issue? My current code is: 

function loadDoc() {
  var xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange=function() {
    if (this.readyState == 4 && this.status == 200) {
      document.getElementById("ajax").innerHTML = "test";
    }
  }
  xhttp.open("POST", "https://login.eveonline.com/oauth/token?grant_type=authorization_code&code="+authorization_code, true);
  //NEED TO MAKE THE AUTHORIZATION CODE NOT AVAILABLE TO CLIENT AND USE SERVER
  xhttp.setRequestHeader("Authorization", "Basic MzFmYjZkNmI0MmVmdkVlVjA5UTBUSQ==");
  xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  xhttp.send();
}
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#8 - 2016-11-14 13:07:58 UTC
Go with the implicit method. It doesn't require cors to be turned off, passing the auth token on the reply.

As per the page I linked. Yes, it's limited to 20 minutes, but it's what it's designed for.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Vex Munda
Anti Enslavement Movement
#9 - 2016-11-14 15:45:10 UTC
Steve Ronuken wrote:
Go with the implicit method. It doesn't require cors to be turned off, passing the auth token on the reply.

As per the page I linked. Yes, it's limited to 20 minutes, but it's what it's designed for.

Thanks for the reply. Can you please post a bit of example code? That would make my life a lot easier. And also be a better reference for other people struggling with the SSO. Also the implicit method, is that the one I used at the beginning of this post?
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#10 - 2016-11-14 20:32:01 UTC
erittainvarma
Fistful of Finns
#11 - 2016-11-15 09:32:38 UTC
Doesn't doing all in client side javascript expose your application secret key?
Vex Munda
Anti Enslavement Movement
#12 - 2016-11-15 09:50:52 UTC
erittainvarma wrote:
Doesn't doing all in client side javascript expose your application secret key?

Yes, it does (hence the comment in my code). But at the moment I just want it to work for testing and developing purposes on my localhost.

If I can do it clientside I should also be able to figure out how to do it serverside as well; Atm my serverside skills are lacking/barely existant.
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#13 - 2016-11-15 11:38:54 UTC
erittainvarma wrote:
Doesn't doing all in client side javascript expose your application secret key?



With the implicit version, it only exposes the id.


(tbh, the key is exposed any time you have a client side app. It's only _somewhat_ secret)

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter