search

SSO Integration

hashtag
Overview

Atlas Auth Guard provides a popup-based SSO flow that allows consumer applications to integrate Google OAuth authentication with minimal code. The Auth Guard handles the entire OAuth flow, and your application just needs to:

  1. Open a popup window

  2. Listen for a postMessage with the auth result

  3. Store the token

No callback page needed in your application!

hashtag
Quick Start

hashtag
Minimal Integration (10 lines of code)

function login(teamId, projectId) {
  // 1. Open SSO popup
  const authGuardUrl = 'https://your-auth-guard.run.app';
  let ssoUrl = `${authGuardUrl}/v1/auth/sso?origin=${encodeURIComponent(window.location.origin)}`;

  // Optional: Login to a specific team
  if (teamId) {
    ssoUrl += `&team_id=${encodeURIComponent(teamId)}`;
  }

  // Optional: Login to a specific project (requires team_id)
  if (projectId && teamId) {
    ssoUrl += `&project_id=${encodeURIComponent(projectId)}`;
  }

  const popup = window.open(ssoUrl, 'Atlas SSO', 'width=500,height=600,left=100,top=100');

  // 2. Listen for auth result
  window.addEventListener('message', function handler(event) {
    // Verify origin
    if (!event.origin.includes('your-auth-guard.run.app')) return;

    if (event.data.type === 'ATLAS_AUTH_SUCCESS') {
      const { token, user } = event.data;

      // 3. Store credentials
      localStorage.setItem('auth_token', token);
      localStorage.setItem('user', JSON.stringify(user));

      // 4. Update your app state
      console.log('Logged in as:', user.user_email);
      console.log('Team:', user.team_name);       // User's team context
      console.log('Project:', user.project_name); // User's project context
      window.removeEventListener('message', handler);

      // Refresh page or update UI
      location.reload();
    } else if (event.data.type === 'ATLAS_AUTH_ERROR') {
      console.error('Login failed:', event.data.error);
      window.removeEventListener('message', handler);
    }
  });
}

// Usage examples:
login();                                                                    // Default team/project login
login('ab2785b2-b5d0-4926-92fb-00aae5ec860a');                             // Login to specific team
login('ab2785b2-b5d0-4926-92fb-00aae5ec860a', 'cd1234e5-f6g7-8h9i-jklm'); // Login to specific team + project

hashtag
HTML Button Example

hashtag
API Reference

hashtag
GET /v1/auth/sso

Opens the SSO login page in a popup window.

Query Parameters:

Parameter
Required
Description

origin

Yes

Your app's origin URL (e.g., https://myapp.turing.com)

team_id

No

Team ID for team-specific login

Example URLs:

hashtag
postMessage Events

The popup sends these messages to the opener window:

hashtag
Success: ATLAS_AUTH_SUCCESS

hashtag
Error: ATLAS_AUTH_ERROR

hashtag
Framework Examples

hashtag
React

hashtag
Vue 3

hashtag
Angular

hashtag
Making Authenticated API Calls

After login, include the token in your API requests:

hashtag
Fetching User's Teams & Projects

After login, you can fetch the user's team and project memberships:

hashtag
Get User's Teams

Response:

hashtag
Get User's Projects

Response:

hashtag
JavaScript Example

hashtag
React Hook Example

hashtag
Team-Specific Login

To log users into a specific team:

Behavior:

  • New users: Automatically assigned to the specified team

  • Existing users: Must already be a member of the team, or will be auto-assigned if team belongs to their org

hashtag
Security Considerations

hashtag
Origin Validation

The Auth Guard validates the origin parameter to prevent unauthorized apps from using SSO. Allowed origins:

  • *.turing.com and *.atlas.turing.com subdomains

  • localhost:* for development

To add your domain, contact the Auth Guard administrators.

hashtag
postMessage Security

Always verify the event origin in your message handler:

hashtag
Token Storage

  • Store tokens in localStorage for persistence across browser sessions

  • For higher security, use sessionStorage (cleared when browser closes)

  • Never store tokens in cookies without proper security flags

hashtag
Troubleshooting

hashtag
Popup Blocked

If the browser blocks the popup:

hashtag
CORS Issues

The SSO flow uses postMessage which doesn't have CORS restrictions. If you're making API calls after login and getting CORS errors, ensure:

  1. Your origin is in the Auth Guard's allowed origins

  2. You're including the Authorization header correctly

hashtag
Token Expired

JWT tokens expire after a configurable time (default: 24 hours). Handle token expiration:

hashtag
Consumer APIs

After SSO login, consumers can access various APIs using the JWT token.

hashtag
Get User's Teams and Projects

hashtag
Project Metadata API

Projects can store arbitrary metadata (configuration, settings, etc.):

hashtag
Permission Requirements

Endpoint
Method
Required Permission

/me/teams

GET

Any authenticated user

/me/projects

GET

Any authenticated user

/projects/{id}/metadata

GET

read:project (viewer+)

/projects/{id}/metadata

PUT

write:project (project_admin+)

/projects/{id}/metadata

PATCH

write:project (project_admin+)

/projects/{id}/metadata/{key}

DELETE

write:project (project_admin+)

hashtag
Migration from Callback-Based Flow

If you're currently using the callback-based flow (/auth/login + /auth/callback), you can migrate:

hashtag
Before (Callback-based)

hashtag
After (Popup-based)

hashtag
Support

For issues or questions:

PreviousAPI KeysNextService Routes

Last updated