okay, I didn’t realize the bitnami code was a hack! 
@sam I have a few more questions on the API call. How does the client_key fit in to this? Do you mean that helpme is registered as an application somewhere, and then given a key? And how is this distributed to the user?
I’m trying to map this to my understanding of OAuth2. With OAuth2 the provider would register the application (with a client id and secret) and the user doesn’t need to create a key. For example, to get a Github OAuth2 for Singularity Hub I:
- register the application in Github
- am given a client secret and key
- add the secret and key to Singularity Hub
- Singularity hub uses the key/secret to create tokens (token and refresh) on the user’s behalf
In our case, we are only dealing with one provider - discourse - and so there is no “Github” to register the application to. But maybe something like this?
- register the helpme client on a discourse board (this is like the board giving approval for helpme to be used)
- the discourse board turns on the endpoint to accept generation of tokens (and generated a client_key? where does it go / how is it used?)
- the user goes through the authentication flow (accepting in browser) to get a token
- the token is valid for some scope to post questions, etc.
I’m not sure where a public and private key fit in here, because it’s not typical to ask every user to do that, and actually would probably be too much and deter people from using it. The first validation is by way of the user accepting in the web interface, and the following come from the API token used after that. Could we talk about the generation and then use of the various keys/ secrets, and how you see this working?