Basically, I’m trying to let users verify that they’re the owner of some social accounts that don’t have OpenID or OAuth (Riot account for example). What would be the best approach for doing so? Would it be possible to have a user use Discourse as an OAuth provider for an external app that edits the database? I’m not too familiar with Discourse yet so I’m trying to think of the best way of making something like it.
Oh that is a interesting problem. One approach we experimented with was using Keybase for that. They already have a robust identity proof system that works with many platforms. You can read about our experiments at Discourse Keybase Proof. Not sure how it will be now that Zoom bought it.
This part come a bit weird. How Discourse being a IdP for Riot would help you proof on Discourse that you own an existing Riot/Matrix account?
Can you explain a bit more? I was looking into Matrix SSO yesterday, and finally they have something now. They implement both SAML, and on the develop branch oAuth2. Discourse can’t talk neither as a server, only as a client, so I was looking into either making Discourse act as a oAuth2 server or adding support for Discourse own SSO protocol in Synapse. Not sure this would address your needs…
3 Likes
Is there some public URL at Riot that the user could control? Like a publicly accessible Bio that the user could insert a code in? Then a Discourse plugin could generate a code that the user would insert in their Bio and when they insert their riot username it’d check URL/<riot-username>/bio for that code?
Such a system would allow a fairly general-purpose plugin that could be configured for multiple third-party sites with some system settings.
1 Like
The standard for this that I’m in favor of adopting is the "bidirectional link rel="me"". Add a link from that page to your Discourse profile, and a link from your Discourse profile to that page, both systems crawl the other URL, see the rel=me and mark it 
Verified.
Special cases can be put into place for pulling the bio field from platforms not implementing this.
3 Likes
I mean Discourse as an IdP for my own standalone program. I’m just not sure what the best way for linking things like a Riot Games ID since they don’t have an OAuth solution that is public yet. I know they just announced RSO but they haven’t given a date on that being publicly available.
Currently, for third-party applications to “verify” a Riot account it requires users to login to their League of Legends client and change a field under the settings tab. I was just trying to come up with a way of going from Discourse to the League API and then adding the custom profile field once it has been verified.
Here’s the part where the code comes in for reference. Basically, I’m then able to call the League API and see if the value of this code matches the one that they were instructed to use.
Also, I’m using a SAML login system for my Discourse since it ties into the rest of my website and was wanting to have a way of adding “verified” Discord usernames in a similar fashion. Again, I’m just not too sure how I would go about getting the logged in user on Discourse prompting an OAuth via Discord OAuth and then changing the value on Discourse’s end.
I hope that makes some sense and shows what I’m trying to accomplish. If you still need more information about what I’m trying to do I can provide more. I’m just only wanting to show verified accounts on profiles. I plan on having Minecraft (Mojang), Discord, and Riot Games (League of Legends) but for my use I’d need them to be verified values to avoid impersonation.
I believe the Twitch <-> Riot link used for Valorant beta drops was OAuth2, on https://auth.riotgames.com/login. Not sure you can go and create a client_id.
Well, that sounds doable with a custom plugin!
That should work using our native Discord integration. Just enable Discord login and users can link their Discord profile on their profiles.
2 Likes
Yeah, currently it’s not public and still in the early stages. They talked about it in this article Riot Sign On (RSO) | Riot Games on their developers site.
That’s what I thought so I’ll see if I could get that working.
The only reason why I’m not trying to use the native Discord integration is because the rest of my websites already have authentication through a main IdP and I’d like to have people only create one account for my whole website if that makes sense. I’ll see if I can get the League of Legends plugin working and see how hard it would be to do what I’m thinking of doing. I just was not too sure if there were ways of accessing and editing user profiles from a PHP application or similar. Ultimately, I was just thinking of using PHP for a simple OAuth login system where they sign in with Discord but I’m just having issues with how I could “tell” the PHP script which user initiated the request unless I can somehow initiate the request via Discourse and have the PHP script verify that it is legitimate.
Thank you so much for the responses here everyone, I’m still new to actually managing my own Discourse and appreciate all of the help. 
1 Like
Well, I’ll have to look into if plugins have more access than external programs via the API since I could not find any way to edit a user field via the API on https://docs.discourse.org/.