Could Discourse offer a StackExchange-like SSO/Federated login service?

I’ve started seeing Discourse everywhere, and I couldn’t be happier! It seems like it is quickly becoming the standard choice for communities looking to quickly set up new discussion forums or replace existing forums based on old platforms and outdated UX patterns.

However in some ways it feels like a victim of its own success - every time I want to post to a new Discourse community, I need to create an account, set up a password, etc. Some communities have bothered to set up OAuth via Github, social media, etc but many have not. I have to create and verify a new account on their Discourse server just to ask one question, offer an answer, or even :heart: an answer that I found helpful.

Compare this to my experience on the StackExchange network, where I am offered a “Join This Community” button on a community that I wish to interact with for the first time. When I click this button, I get an offer to sign up using my login from another community:

Screen Shot 2020-08-14 at 1.12.40 PM

The new account is automatically created and logged into with a single click.

I think my issue is that there is an unstated assumption that each Discourse community is its own island, and that users sit around all day logged in to a single forum waiting to see responses and new questions, having fun by earning badges and racking up privileges. In reality the vast majority of users’ interactions are need-driven, with only a very few users anchoring the communities to participate on a regular basis. I believe a typical user’s interaction with a Discourse community is something like:

  1. Have a problem
  2. Google for an answer
  3. Can’t find a solution anywhere on the internet including the group’s Discourse forum
  4. Decide that my problem is pressing enough to create an account on the forum
  5. Ask my question or comment on an existing question
  6. Get an answer from someone, or eventually figure it out on my own
  7. If I figured it out on my own and I’m feeling prosocial, report back to the Discourse forum with my solution
  8. Go back to living my life
  9. Years later, have another problem and try to remember my credentials so I can log back in to the forum again
  10. Repeat steps 5-10

Much of this process is hampered by having to create a new account for every new forum I want to participate in.

I realize that StackExchange communities are managed by a central company, whereas Discourse communities are hosted in a completely decentralized manner, but it seems like this could be implemented with Discourse establishing its own identity provider service. In contrast with integrating something like Github or Facebook, where the administrator for the forum has to take active steps on an external website to set up OAuth with these providers, it seems like the necessary tokens for a “login with Discourse” button could be automatically set up through the standard installation process.

I know there have been other conversations about this issue, but they seem to be overly complicated in scope and gotten off track.

2 Likes

That is a different sort of federation, connecting Discourse to tools like Mastodon related to posts and replies (as opposed to logging in).

You’ll want to checkout Discourse SSO, which is being discussed in various topics around meta.

1 Like

What you describe was discussed a lot in the beginnings of Discourse. There is a tag for it: #discourse_hub

The most recent topic is from 2014:

(also, I just noticed that Jeff uses the name @david as an example, many years before I even knew about Discourse :joy:)

It is a very cool idea, but there are a lot of roadblocks in the way.

6 Likes

Awesome, thanks! It seems like SE has solved many of the problems described in that thread over the past 6 years or so (for example, it uses a number+username as a unique identifier for users).

The crux of the issue seems to be that unlike SE, Discourse is decentralized with each community being completely controlled by whoever controls the server(s) it runs on. I would also argue that those admins who don’t want to give up a bit of control to make their community more accessible could certainly have the option to opt-out of Discourse Hub, with the understanding that there is a cost to that decision in the form of diminished accessibility and user engagement.

We could certainly ship a default social login to the “DiscourseHub” provider, default enabled and with some extras like full support for all default fields (username, name, email, avatar, bio) and even offer some two way sync (try to scrape the user account just created and publish some details on the central profile, like badges and best posts). We could even use it to push best standards, like large minimum password and mandatory 2FA.

Now if we should do this is a great open question.

2 Likes

How much of this would a centrally-managed (by us) directory solve?

You’ll still need to create a new account on each site, and each site may have (for example) different fields required on signup. We could populate most, but you’d still need to confirm them. Avatar is already well-served by e.g. Gravatar.

re. trying to remember your credentials: email login is the best way to use those communities to which you infrequently log in - I use it whenever it’s enabled.

I would love to see a solid problem that needs to be solved before we consider becoming yet another identity provider. I see decentralisation as a feature, not a bug :slight_smile:

5 Likes

On this topic … one theme component I 100% support is a change that turns auth into 100% email based.

  • To register … all you do is enter email address, username, name … no password
  • To login … all you do is enter email address … no password

We already support passwordless login, via email but it is somewhat hidden. Throwing away the password would make this completely obvious and would remove a bunch of friction.

Clearly not a Discourse default for now, but a very interesting theme component imo.