1. Overview

Central Blogs no longer uses Auto SSO or bridge callbacks. Tenant blog pages now rely on two simple inputs from each application record:

  • main_site for the backlink shown in the tenant navbar.
  • login_url for the sign-in button shown to visitors.
What still works: Visitors can browse tenant blogs, like posts with a visitor identity, and authenticated application users with an active local session can comment. Signed CRUD APIs remain unchanged.

3. Direct SSO Entry

Central Blogs supports a direct tenant-domain login entry route for one-click blog access: GET /sso/login.

GET https://tenant-blog.example.com/sso/login?application_key=APP_KEY&token=JWT&target=/optional-path
  • application_key identifies the application record.
  • token must be a short-lived HS256 JWT signed with the tenant secret_key.
  • target is optional and is only honored for safe internal blog paths.
Expected token claims: Central Blogs validates aud, iat, exp, jti, remote_id, and email. The optional application_id claim must match the resolved tenant when present.

4. Session Identity

Central Blogs no longer accepts bridge callbacks or cross-domain identity cookies. The tenant frontend honors either an existing application_user session or a new session established through the direct /sso/login entry route above.

  • Use login_url when you want the UI to send a visitor to sign in.
  • If no authenticated session exists, the tenant blog stays in visitor mode.
  • No signed cookie contract or bridge callback path remains in the runtime.

5. Visitor Rules

  • Guest visitors can browse tenant pages without being redirected anywhere.
  • Guest visitors receive a visitor_key when needed for likes and view tracking.
  • Comments still require an authenticated application user.
  • Unauthenticated form comments are redirected back with an error instead of starting any bridge flow.

6. Removed Endpoints

The following tenant auth routes are intentionally gone:

  • GET /auth/bridge
  • GET /auth/logout
  • POST /api/auth/bridge

Any integration that still references those paths should be updated to use the direct /sso/login entry route or the signed application APIs instead.