Implementing automatic login to a third-party website
My node based web service links to an external 3rd party site that requires a username / password, which we also have (but not the same as our web service's OFr login). In order to ensure a smooth user experience, when a user clicks on a link to a 3rd party site, I would like to automatically register them with a username / password, and take them straight to the external dashboard page.
At the very least, I would like to pre-fill a 3rd party login form with this information, but this post detailing a situation like this does not make me optimistic.
I don't believe the third party site supports OAuth or the existing SSO protocols. I cannot use iFrame. One viable option seems to be using some kind of proxy or using requests (or tokens?) On a third party site.
Knowing that I have no control over third-party entry, what are some high-level options for achieving this ultimate goal? What are some of the things that I need to be careful about when choosing a solution?
source to share
The short answer is that you cannot do this if the foreign site uses CSRF protection on the form or does not allow request parameters for form input.
You can try here:
- Try to redirect the user to https://website.com/login?username=xxx&password=xxx
- If that works, you're good to go. If not, it probably won't help make this work in the browser.
Inspect the source code of the login page and use HTML name input tags in your redirect request. Therefore, if the form has username and password input fields, you must use these two names.
Now - please keep in mind that what you are trying to do is usually NOT a good idea.
Storing user credentials for another website is a HUGE security risk, and it's actually not a good idea. If the site / service does not offer SSO / Oauth, this is likely to be a problem for you in the future.
Among other things, here are some of the bad things that can happen:
- Someone gains access to the domain and logs all requests with a username / password.
- The user's computer has been hacked or started by a human, so when you redirect the user to that site, a third party captures the username and password information.
- The website changes its registration form and you end up sending credentials elsewhere in the event of an accident.
- The website is logging its incoming GET requests and now has a bunch of credentials stored in clear text on its web servers (if those logs come out, which is bad).
source to share