SSO Integration

Overview

Atlas Auth Guard provides a popup-based SSO flow that allows consumer applications to integrate Google OAuth authentication with minimal code. The Auth Guard handles the entire OAuth flow, and your application just needs to:

  1. Open a popup window

  2. Listen for a postMessage with the auth result

  3. Store the token

No callback page needed in your application!

Quick Start

Minimal Integration (10 lines of code)

function login(teamId, projectId) {
  // 1. Open SSO popup
  const authGuardUrl = 'https://your-auth-guard.run.app';
  let ssoUrl = `${authGuardUrl}/v1/auth/sso?origin=${encodeURIComponent(window.location.origin)}`;

  // Optional: Login to a specific team
  if (teamId) {
    ssoUrl += `&team_id=${encodeURIComponent(teamId)}`;
  }

  // Optional: Login to a specific project (requires team_id)
  if (projectId && teamId) {
    ssoUrl += `&project_id=${encodeURIComponent(projectId)}`;
  }

  const popup = window.open(ssoUrl, 'Atlas SSO', 'width=500,height=600,left=100,top=100');

  // 2. Listen for auth result
  window.addEventListener('message', function handler(event) {
    // Verify origin
    if (!event.origin.includes('your-auth-guard.run.app')) return;

    if (event.data.type === 'ATLAS_AUTH_SUCCESS') {
      const { token, user } = event.data;

      // 3. Store credentials
      localStorage.setItem('auth_token', token);
      localStorage.setItem('user', JSON.stringify(user));

      // 4. Update your app state
      console.log('Logged in as:', user.user_email);
      console.log('Team:', user.team_name);       // User's team context
      console.log('Project:', user.project_name); // User's project context
      window.removeEventListener('message', handler);

      // Refresh page or update UI
      location.reload();
    } else if (event.data.type === 'ATLAS_AUTH_ERROR') {
      console.error('Login failed:', event.data.error);
      window.removeEventListener('message', handler);
    }
  });
}

// Usage examples:
login();                                                                    // Default team/project login
login('ab2785b2-b5d0-4926-92fb-00aae5ec860a');                             // Login to specific team
login('ab2785b2-b5d0-4926-92fb-00aae5ec860a', 'cd1234e5-f6g7-8h9i-jklm'); // Login to specific team + project

HTML Button Example

API Reference

GET /v1/auth/sso

Opens the SSO login page in a popup window.

Query Parameters:

Parameter
Required
Description

origin

Yes

Your app's origin URL (e.g., https://myapp.turing.com)

team_id

No

Team ID for team-specific login

Example URLs:

postMessage Events

The popup sends these messages to the opener window:

Success: ATLAS_AUTH_SUCCESS

Error: ATLAS_AUTH_ERROR

Framework Examples

React

Vue 3

Angular

Making Authenticated API Calls

After login, include the token in your API requests:

Fetching User's Teams & Projects

After login, you can fetch the user's team and project memberships:

Get User's Teams

Response:

Get User's Projects

Response:

JavaScript Example

React Hook Example

Team-Specific Login

To log users into a specific team:

Behavior:

  • New users: Automatically assigned to the specified team

  • Existing users: Must already be a member of the team, or will be auto-assigned if team belongs to their org

Security Considerations

Origin Validation

The Auth Guard validates the origin parameter to prevent unauthorized apps from using SSO. Allowed origins:

  • *.turing.com and *.atlas.turing.com subdomains

  • localhost:* for development

To add your domain, contact the Auth Guard administrators.

postMessage Security

Always verify the event origin in your message handler:

Token Storage

  • Store tokens in localStorage for persistence across browser sessions

  • For higher security, use sessionStorage (cleared when browser closes)

  • Never store tokens in cookies without proper security flags

Troubleshooting

Popup Blocked

If the browser blocks the popup:

CORS Issues

The SSO flow uses postMessage which doesn't have CORS restrictions. If you're making API calls after login and getting CORS errors, ensure:

  1. Your origin is in the Auth Guard's allowed origins

  2. You're including the Authorization header correctly

Token Expired

JWT tokens expire after a configurable time (default: 24 hours). Handle token expiration:

Consumer APIs

After SSO login, consumers can access various APIs using the JWT token.

Get User's Teams and Projects

Project Metadata API

Projects can store arbitrary metadata (configuration, settings, etc.):

Permission Requirements

Endpoint
Method
Required Permission

/me/teams

GET

Any authenticated user

/me/projects

GET

Any authenticated user

/projects/{id}/metadata

GET

read:project (viewer+)

/projects/{id}/metadata

PUT

write:project (project_admin+)

/projects/{id}/metadata

PATCH

write:project (project_admin+)

/projects/{id}/metadata/{key}

DELETE

write:project (project_admin+)

Migration from Callback-Based Flow

If you're currently using the callback-based flow (/auth/login + /auth/callback), you can migrate:

Before (Callback-based)

After (Popup-based)

Support

For issues or questions:

PreviousAPI KeysNextService Routes

Last updated