Hi,
I’m working on this a bit as well.
What’s I’ve got so far is:
- Discourse admin configures “Allowed user api auth redirects” to their own host ( i.e. https://your-discourse.org/user-api-key ).
- An additional show action in the user_api_key controller shows the payload ( which the user will use to copy-paste into an environment variable)
Sounds like there’s a complication with the requirement for an RSA key pair. Since this isn’t a bundled mobile app, users would have to generate their own keys to get the token. Would it be possible to make this key pair optional if we are just redirecting back to the discourse app instead of a 3rd party? Likelihood of a man in the middle seems low, but I’m definitely unfamiliar with the requirements of this.