| Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
| v:2.0:sso [2019/05/01 02:03] – [The Details] adam | v:2.0:sso [2019/11/04 07:30] – [The Details] foxybrett |
|---|
| If shared-authentication is enabled, the checkout will //not// load unless a valid ''fc_auth_token'' (and other supporting information) is passed in by your endpoint when it redirects the user. Here's what the checkout expects and requires. | If shared-authentication is enabled, the checkout will //not// load unless a valid ''fc_auth_token'' (and other supporting information) is passed in by your endpoint when it redirects the user. Here's what the checkout expects and requires. |
| * ''fc_auth_token'': The authentication token is a SHA-1 hash of the FoxyCart customer ID (available through the [[api|API]]), the expiration timestamp, and [[v:2.0:store_secret|the store's secret key]]. These values are separated by ''|'' (the pipe symbol). Here's what it might look like in PHP:<code php> | * ''fc_auth_token'': The authentication token is a SHA-1 hash of the FoxyCart customer ID (available through the [[api|API]]), the expiration timestamp, and [[v:2.0:store_secret|the store's secret key]]. These values are separated by ''|'' (the pipe symbol). Here's what it might look like in PHP:<code php> |
| $auth_token = sha1($customer_id . '|' . $timestamp . '|' . $foxycart_api_key); | $auth_token = sha1($customer_id . '|' . $timestamp . '|' . $foxycart_secret_key); |
| </code> or in Ruby: <code ruby>Digest::SHA1.hexdigest("#{customer_id}|#{timestamp}|#{foxycart_secret_key}")</code> | </code> or in Ruby: <code ruby>Digest::SHA1.hexdigest("#{customer_id}|#{timestamp}|#{foxycart_secret_key}")</code> or JavaScript: <code javascript>const crypto = require('crypto'); |
| | module.exports.generateSsoUri = function (customerId, timestamp, secret, sessionId) { |
| | if (!customerId || !timestamp || !secret) { |
| | return false; |
| | } |
| | let stringToSign = `${customerId}|${timestamp}|${secret}`; |
| | let token = crypto.createHash('sha1').update("" + stringToSign).digest('hex'); |
| | let uri = `https://${storeDomain}/checkout?fc_customer_id=${customerId}×tamp=${timestamp}&fc_auth_token=${token}`; |
| | if (sessionId && validator.isAlphanumeric(sessionId)) { |
| | uri += `&fcsid=${sessionId}`; |
| | } |
| | return uri; |
| | }</code> |
| * It is critically important to note that the ''timestamp'' value you hash must match the ''timestamp'' value you send in the clear (below). Again, the ''timestamp'' provided //to// your endpoint must not be used when passed back to FoxyCart, as that timestamp will already be in the past. | * It is critically important to note that the ''timestamp'' value you hash must match the ''timestamp'' value you send in the clear (below). Again, the ''timestamp'' provided //to// your endpoint must not be used when passed back to FoxyCart, as that timestamp will already be in the past. |
| * ''fcsid'': The FoxyCart session ID. This is necessary to prevent issues with users with 3rd party cookies disabled and stores that are not using a custom subdomain. | * ''fcsid'': The FoxyCart session ID. This is necessary to prevent issues with users with 3rd party cookies disabled and stores that are not using a custom subdomain. |
| |
| Important things to note: | Important things to note: |
| * The API token at the start of the script will need to be set to your store's API key, and similarly the URL to redirect to at the bottom of the script will also need to be updated. | * The API token at the start of the script will need to be set to your [[v:2.0:store_secret|store's secret key]], and similarly the URL to redirect to at the bottom of the script will also need to be updated. |
| * The check for the auth token and the timestamp act as the validation that this request is legitimately from the receipt - it's important that these checks are completed | * The check for the auth token and the timestamp act as the validation that this request is legitimately from the receipt - it's important that these checks are completed |
| * Not included above is the actual code to log the user in on your website. This will be different depending on the authentication system you're using. Consult the documentation for your system for how to approach that. | * Not included above is the actual code to log the user in on your website. This will be different depending on the authentication system you're using. Consult the documentation for your system for how to approach that. |
