Discourse as SSO source of authority for Wordpress

(Manoel Lemos) #1

Hi, I want a different type of SSO integration. I need Discourse to be the source of authority for my Wordpress blog.

I don’t need a super sophisticated authentication in the WordPress, but I need to know who the user is based on his discourse session?

Discourse is the subdomain forum.fazedores.com and wordpress is in blog.fazedores.com

Is it possible?

Log in with Discourse?
Email activation when using SSO
(Jeff Atwood) #2

Usually it is the other way around, people want Wordpress to be the SSO authority.

Discourse to look to Wordpress for user meta/login
(Manoel Lemos) #3

Yeah, but as Discourse forums are much more interactive than blogs usually are, it is going to be a matter of time for discourse being the best candidate to handle user authentication.

That is exactly my case, a few hundred users on my forum and only a few on my blog.

Also, if you need to create, lets say, a raffle for the forum users and you want them to authenticate, that is necessary also. Not just for raffles but for many other forms of interaction.

Make sense?

(Discrete Chen) #4

Agreed. I think it won’t be harmful if discourse add this feature.

(Discrete Chen) #5

And if I already have a discourse set up and have some user and want to start a Wordpress, how can I migrate the discourse user database to Wordpress and then enable Wordpress SSO?

(Erlend Sogge Heggen) #6

The “Discourse as user accounts manager” use case fits my needs as well. The only other component of our website that handles (large amounts of-) users is DokuWiki, and we certainly don’t want our simple (and not always up to date) wiki system to be the keeper of user info.

Discourse, with its trust levels, likes, badges, rich profiles and extensive API makes for an ideal userhub. I get that most people right now need to do it the other way around because they’ve built the entirety of their site out from the WordPress core. But WordPress really isn’t built for non-editorial users out of the box, so for new sites I don’t think it makes a lot of sense to have WordPress as the central userhub.

If someone is using Discourse as the SSO authority for other applications, please share.

(Kane York) #7

Note that Discourse now can serve as a provider of its own SSO protocol.

How can I make discourse to SSO provider?(not consumer)
(Erlend Sogge Heggen) #8

Is there an example implementation of this that we can look at? As mentioned, we’re trying to hook into a basic PHP app.

(Sam Saffron) #9

Its trivial, you just enable the setting “enable sso provider” and plug in your password.

(Kane York) #10

I think he was talking about the consumer side.

(James Khan) #11

I’m writing a resource API for jmonkeyengine.org using discourse as the primary account system, and it’s entirely possible right now. The implementation (in java) is written here:

I’m not entirely sure if it would help to solve your issue, but if the response were to return the session string upon login as opposed to just setting the cookie, that would at least give the programmer something to work with (stored session comparison). Then again, you could do that by decrypting the cookie (base64 iirc). So… there’s something there to work with already, albeit a bit of a hack.

(Kane York) #12

Why aren’t you using the enable sso provider site setting? Then you can just do SSO with the roles reversed. Look @ the discourse code for SSO (current user provider stuff) for how to do that.

(James Khan) #13

Lack of documentation is the only reason, or at least that was the case when I first started the implementation… And when I looked at the code at that point in time, it appeared to be half-implemented.

(Daniel Brief) #14

@riking, @sam can you give a little more detail for us Newbies? I looked at Official Single-Sign-On for Discourse (sso) and tried to reverse the flow, starting with calling my discourse server where the example called the external server, but that doesn’t work (I get a 404 on /discourse/sso?). So it’s a little more than literally reversing the roles… If I need to RTFM, please point me to the right place(s).
Any help would be much appreciated!

(Kane York) #15

The URL is /session/sso_provider . Fill in the SSO_secret like normal.

(Daniel Brief) #16

Getting closer - it redirects to /login, I see a request to get /session/csrf which looks OK and then I type in name and password, hit enter and the browser does a POST to /session with my login and pw in the data and a X-CSRF-Token header with the value session/csrf returned, but I get a 500 - Internal Server Error and the dialog shows “Unknown error”. If I type in an incorrect password then /session returns a 200 with the error message “Incorrect username, email or password”. If I login with Facebook then it works.

(Daniel Brief) #17

@riking - another clue - in the log I get the following stack trace:

Started POST "/session" for at 2015-03-25 11:48:12 +0000
Processing by SessionController#create as */*
  Parameters: {"login"=>"daniel@mysite.com", "password"=>"[FILTERED]"}
Completed 500 Internal Server Error in 332ms

RuntimeError (sso_url not implemented on class, be sure to set it on instance):
  lib/single_sign_on.rb:16:in `sso_url'
  lib/single_sign_on.rb:63:in `sso_url'
  lib/single_sign_on.rb:77:in `to_url'
  app/controllers/session_controller.rb:32:in `sso_provider'
  app/controllers/session_controller.rb:250:in `login'
  app/controllers/session_controller.rb:158:in `create'
  config/initializers/08-rack-cors.rb:11:in `call'
  lib/middleware/anonymous_cache.rb:123:in `call'
  config/initializers/quiet_logger.rb:10:in `call_with_quiet_assets'
  config/initializers/silence_logger.rb:26:in `call'
  lib/middleware/request_tracker.rb:70:in `call'
  lib/scheduler/defer.rb:85:in `process_client'
  lib/middleware/unicorn_oobgc.rb:95:in `process_client'

I get that sso_url is not defined, but I’m not clear where it should be defined. I tried putting a page on my main site in the “sso url” field in the login settings, but that doesn’t seem to have any effect. Should I add it to the request that passed the nonce (&sso_url=http…? )? Some other way?

(Jens Maier) #18

Uh, this looks like a bug…

Shouldn’t that be DiscourseSingleSignOn instead of SingleSignOn in line 24?

(Sam Saffron) #19

I don’t think so … its independent to other SSO on the site. We have provider working fine for us here. I think this is happening cause @danb is not sending in a return_sso_url, which 100% required for this use case.

(Jeff Atwood) #20

If it is 100% required we need to improve our error messaging to make that clear… otherwise we’ll get future support requests for this.