Table of Contents
1. Overview
Central Blogs no longer uses Auto SSO or bridge callbacks. Tenant blog pages now rely on two simple inputs from each application record:
main_sitefor the backlink shown in the tenant navbar.login_urlfor the sign-in button shown to visitors.
2. Login Links
The blog frontend does not assemble callback URLs anymore. It simply links to the configured
login_url, or falls back to main_site when a dedicated login URL is
not provided.
$application->main_site = 'https://app.example.com';
$application->login_url = 'https://app.example.com/login';
/auth/bridge, /api/auth/bridge, or any
bridge-start endpoint. Those routes were removed from Central Blogs.
3. Direct SSO Entry
Central Blogs supports a direct tenant-domain login entry route for one-click blog access:
GET /sso/login.
GET https://tenant-blog.example.com/sso/login?application_key=APP_KEY&token=JWT&target=/optional-path
application_keyidentifies the application record.tokenmust be a short-lived HS256 JWT signed with the tenantsecret_key.targetis optional and is only honored for safe internal blog paths.
aud, iat, exp,
jti, remote_id, and email. The optional
application_id claim must match the resolved tenant when present.
4. Session Identity
Central Blogs no longer accepts bridge callbacks or cross-domain identity cookies. The tenant
frontend honors either an existing application_user session or a new session
established through the direct /sso/login entry route above.
- Use
login_urlwhen you want the UI to send a visitor to sign in. - If no authenticated session exists, the tenant blog stays in visitor mode.
- No signed cookie contract or bridge callback path remains in the runtime.
5. Visitor Rules
- Guest visitors can browse tenant pages without being redirected anywhere.
- Guest visitors receive a
visitor_keywhen needed for likes and view tracking. - Comments still require an authenticated application user.
- Unauthenticated form comments are redirected back with an error instead of starting any bridge flow.
6. Removed Endpoints
The following tenant auth routes are intentionally gone:
GET /auth/bridgeGET /auth/logoutPOST /api/auth/bridge
Any integration that still references those paths should be updated to use the direct
/sso/login entry route or the signed application APIs instead.