How can an API user create posts as another user?


#1

I’m using the API of Discourse with a custom UI. I’m attempting to integrate this behind an orchestration layer that already authenticates users. I’d like to be able to more or less bypass authentication on the Discourse side of things.

We use JWT tokens, and it seems that ideally I could just pass these along to Discourse and tell it to trust them. I see that there’s some JWT related projects in the discourse GitHub organization, but there’s no documentation or usage examples, Google hasn’t been helpful, I haven’t found any relevant threads in meta, and I don’t really speak Ruby :frowning:

Is there a way I could leverage our existing authentication by just passing these tokens through to Discourse?

Failing that, as an API user, how can I create topics and posts on behalf of other, authenticated users?


#2

One strategy I’m exploring is creating an API user for every user in my system. Any obvious downsides to this?


(Felix Freiberger) #3

You could use a master API key, and specify the username of the user you are impersonating – the master API key should always work.


#4

Okay, that’s interesting. How would you specify the user name? As the api_username parameter on the query string?


(Felix Freiberger) #5

Yes, exactly. This is the name of the user performing the action, while the API key just proves you’re allowed to speak for that user.


#6

Excellent, that sounds perfect. I’ll try it out.