I need some guidance please on logging people in to a remote web site using their existing Discourse user/pass.
I don’t think I need SSO… here’s why.
First, some background around my existing use case and why I don’t like it.
I currently have a website at https://www.example.com and it has a login button.
When a user clicks the login button they are asked to enter their existing Discourse username and email address (note: user + email, NOT a password)
I then take these two pieces of information and fire an API
GET request to:
"https://mydiscourse.comm/admin/users/list/all.json?email=" + strEmail
In the headers of this API call that I make, I include the “system” user account name and the associated API key for the system user.
If an email address match is found, I compare the Username they gave me in my form to the Username returned in the API response for that given email address.
If it matches I then consider this user logged in on my site at https://www.example.com
I built this three or four years ago and it still works fine to this day.
It is very confusing for a user to enter a Username + Email address combination in a login form
– Most people always enter a user+pass
– Despite massive instructions all over my form, people still naturally get it wrong
It’s not secure
– You only need to know the username + their email address and armed with those two (trivial) pieces of information you can log in to https://www.example.com “as them” with very little trouble
What I’d like to do is have the user click the Login button on https://www.example.com and enter their existing Discourse User + Pass (instead of user+email !)
My website at example.com would then fire a quick API request over to my Discourse, confirm the supplied user/pass combination is correct and return their existing Discourse user id.
Hope this is making sense
I’ve been all over the API documentation and for the life of me I can’t seem to find a simple “login” endpoint?
I do not need or want to log people in or out of my Discourse itself, I simply need to confirm their user/pass is correct really.
Any pointers, guidance, links or advice very much welcomed