Help & Support

User Integration

You need some development experience to make use of this feature, with the ability to edit your site's back-end code.

Cbox Pro supports Integration, which is a way to implement single sign-on. If users already log in or register with your site, Integration means they don't have to enter their name again on your Cbox.

Configure Integration at your control panel. Example code is available there. The rest of this article deals with general concerns.

How it works

Integration is implemented using query string parameters appended to the Cbox iframe URL. The final parameter is a signature generated from the rest of the URL. You don't need any external components or callbacks, just language support for HMAC-SHA256, base64-encoding, and url-encoding.

The signature is important to secure the generated URL against tampering by the user or any other intermediary. However, most back-end platforms have built-in support for the necessary functions.

Integrating avatars and profile links

The only required parameter is nme, for the user's name, and the signature, sig. But you can also pass lnk and pic parameters to Cbox, to take advantage of name links and avatars, respectively. These should be provided as absolute URLs. For example, https://yoursite.example.com/path/to/image.gif. Note that the respective display settings need to be enabled for name links or avatars to show up.

Integrating with mod/admin permissions

Integrated users' names will be registered with Cbox automatically, if they aren't already. This means you can confer mod/admin permissions at your Users page.

You can also use Integration with Moderated chat. With Moderated mode enabled, your Integrated users by default will not have voice permission. You will be able to review their messages as a mod or admin user in your Cbox and approve them accordingly.

Security

Note that if you have existing users registered before enabling Integration, they are authenticated by Integration regardless of their password. This means if you have an existing "admin" user registered with a password on your Cbox, and you then enable Integration, the corresponding user named "admin" on your site will get that name (and permission). This can be an advantage, but if it's a risk in your case, delete all registered users before enabling Integration.

The signature in the Integrated Cbox URL protects the name and other information in transit. However, if you are concerned about leaked URLs, you can limit URL validity by passing an additional (signed) query string parameter, valid_to, which should be set to a UNIX timestamp. The URL will stop working after the time specified.

You can also change the key used to generate the signature, by changing your security tag. This invalidates all your Cbox URLs, but requires that you change your published Cbox embed code accordingly.

Debugging

If you get an error in your Cbox saying that there's a problem with Integration, the most common cause is an invalid signature.

The first thing to do is right-click and inspect the Cbox iframe URL. You should have nme=...&sig=... parameters populated in the query string. If not, check that your embed code is in place and being parsed without errors.

If the sig parameter is present in the URL, confirm that it is being generated using the correct secret key. The key is available at your Integration page.

Ensure that you are url-encoding your query string parameters exactly once, and encoding before calculating the signature. The signature itself must then also be url-encoded, and appended to the URL. If you see the sequence %25XX in the URL, that's a sign that you might be applying url-encoding to already url-encoded strings.

If you are still getting errors, contact us including the code you are using and an example URL, and we should be able to assist.

Last updated 8 March 2017

« Support home

Loading...