Custom provider using OpenID Connect via IdentityServer3


I have a standalone authentication server that implements IdentityServer3 as an OpenID provider. It works well with existing clients and resources. I have an Angular-based application and a .NET API that both rely on it.

I am attempting to create a custom provider for Discourse that will allow users to login via this authentication server, or simply consent if already authenticated. To date, I have tried four different implementations:

  1. Custom OmniAuth OAuth gem and provider (inheriting Auth::Authenticator)
  2. Custom OmniAuth OpenID gem and provider (inheriting Auth::Authenticator)
  3. Third-party OmniAuth OpenID gem (openid-reconnect)
  4. Built-in Discourse OpenID Authenticator (Auth::OpenIdAuthenticator)

All fail with varying degrees of severity. I’m more than happy to post some of my defunct code to be judged by the community, but I’m hoping that someone here - and I’m guessing there’s someone - has already done the research and implementation of this use case, and will be willing to go through it with me.

As all four of my attempts have failed, I am guessing that I am just missing some valuable, epiphany-spewing detail due to the lack of documentation. Kudos to the group working on the community documentation effort, by the way

(Ofer Nave) #2

I don’t know if this helps, but someone released a new OAuth2 plugin for Discourse less than two weeks ago:

Assuming it works, it should have most of what’s needed to implement OpenID Connect. Perhaps you can build on it, or contribute to it, or merely learn from it’s example.

Personally, I would also very much like to see a well-supported means of using OpenID Connect with Discourse. I’m building an OpenID Connect provider right now, and want to be able to integrate Discourse with it. I did comment on the OAuth2 plugin topic about that, maybe that’s a good place to start rallying interest and support.

(John Korsnes) #3

Hi, @madhouse.

We just blogged about how we solved this by extending IdentityServer3 with custom endpoints specifically for Discourse. Might help you or others with integrating idsrv+discourse.

(Julian Elve) #4

@johnkors approach is fantastic, but we found we needed to extend it slightly so that we could make use of not just the local login accounts on the IdentityServer, but also the federated identity sources we have set up.

Details in this gist

(David Taylor) #5

We now have an official plugin for openid-connect integration, which does not require an intermediary server like the one described in this topic.