Skip to content

SSO: Getting rid of the user token. #16915

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sergeymitr merged 1 commit into from
Aug 21, 2020
Merged

SSO: Getting rid of the user token. #16915

sergeymitr merged 1 commit into from
Aug 21, 2020

Conversation

@sergeymitr
Copy link
Contributor

@sergeymitr sergeymitr commented Aug 20, 2020

Changes proposed in this Pull Request:

The SSO login process performs an API request to WP.com (jetpack.sso.validateResult endpoint) to validate the authentication the results and get user information.

Jetpack tries to use user_token for that request, but at that point the user is not authenticated in WP, so user_id equals 0, thus blog_token is used for authorization anyway.

That makes the commit janitorial with no functional changes.

Jetpack product discussion

Part of the issue #16709.
Related to #16830.

Does this pull request change what data or activity we track or use?

No.

Testing instructions:

  1. Go to "Jetpack -> Settings -> Security" and enable the "WordPress.com login" feature.
  2. Log out of WordPress.
  3. Try to login using WordPress.com account.
  4. Confirm you're logged in.

Proposed changelog entry for your changes:

n/a.

@sergeymitr
SSO: Getting rid of the user token.
dfcc057 
The SSO login process performs an API request to WP.com (`jetpack.sso.validateResult` endpoint) to validate the authentication the results and get user information.

Jetpack tries to use `user_token` for that request, but at that point the user is not authenticated in WP, so `user_id` equals `0`, thus `blog_token` is used for authorization anyway.

That makes the commit janitorial with no functional changes.
@sergeymitr sergeymitr added this to the 8.9 milestone Aug 20, 2020
@sergeymitr sergeymitr requested a review from a team August 20, 2020 17:05
@sergeymitr sergeymitr self-assigned this Aug 20, 2020
@jetpackbot
Copy link
Collaborator

jetpackbot commented Aug 20, 2020

Thank you for the great PR description!

When this PR is ready for review, please apply the [Status] Needs Review label. If you are an a11n, please have someone from your team review the code if possible. The Jetpack team will also review this PR and merge it to be included in the next Jetpack release.

E2E results is available here (for debugging purposes): https://jetpack-e2e-dashboard.herokuapp.com/pr-16915

Scheduled Jetpack release: September 1, 2020.
Scheduled code freeze: August 25, 2020

Generated by 🚫 dangerJS against dfcc057

@fgiannar fgiannar mentioned this pull request Aug 20, 2020
Closed
10 tasks
fgiannar
fgiannar approved these changes Aug 21, 2020
View reviewed changes
Copy link
Contributor

@fgiannar fgiannar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@fgiannar fgiannar added [Status] Needs Team Review Obsolete. Use Needs Review instead. [Status] Ready to Merge Go ahead, you can push that green button! and removed [Status] Needs Review This PR is ready for review. [Status] Needs Team Review Obsolete. Use Needs Review instead. labels Aug 21, 2020
@sergeymitr sergeymitr merged commit b9b7bd4 into master Aug 21, 2020
@sergeymitr sergeymitr deleted the update/blog-token-sso-for-real branch August 21, 2020 13:14
@matticbot matticbot added [Status] Needs Changelog and removed [Status] Ready to Merge Go ahead, you can push that green button! labels Aug 21, 2020
jeherve added a commit that referenced this pull request Aug 25, 2020
@jeherve
Changelog: add #16915
1776ded
pereirinha pushed a commit that referenced this pull request Sep 10, 2020
@sergeymitr
[not verified] SSO: Getting rid of the user token. (#16915)
7476842 
The SSO login process performs an API request to WP.com (`jetpack.sso.validateResult` endpoint) to validate the authentication the results and get user information.

Jetpack tries to use `user_token` for that request, but at that point the user is not authenticated in WP, so `user_id` equals `0`, thus `blog_token` is used for authorization anyway.

That makes the commit janitorial with no functional changes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fgiannar fgiannar fgiannar approved these changes

Assignees

@sergeymitr sergeymitr

Labels

[Feature] SSO [Type] Janitorial

Projects

None yet

Milestone

8.9

Development

Successfully merging this pull request may close these issues.

6 participants

@sergeymitr @jetpackbot @fgiannar @jeherve @matticbot