Stateless SSO (Keyless) - Hyvor Talk Docs

Stateless (Keyless) SSO

Security Warning!

Unlike Stateless SSO, Stateless (Keyless) SSO does not validate the user data sent by the client. You should only use this method if:

You do not have access to your website's back-end.

Your authentication provider uses secure random user IDs (ex: UUID) and keeps them private. (if user IDs are compromised, an attacker can use them to impersonate someone else in the comments section).

If your authentication provider supports it, consider using OpenID Connect SSO instead.

Stateless (Keyless) SSO works the same way as Stateless SSO except that it does not require sso-hash.

Enabling

Enable SSO in the Console
Make sure the SSO type Stateless is selected
Then, turn on the Keyless option

Configuring

In the front-end, you have to set the sso-user attribute to a JSON-encoded base-64 encoded object. Here is a Javascript example.

const comments = document.querySelector('hyvor-talk-comments');

comments.setAttribute('sso-user', JSON.stringify({

    timestamp: Math.floor(Date.now() / 1000),

    id: 'user-id',
    name: 'user-name',
    email: 'user-email',
    picture_url: 'user-picture-url',
    website_url: 'user-website-url',

}))

You can see the user object definition here.