Log in with Discourse?


#1

My users are all signed up on Discourse, not via SSO. Is there any way to provide a “log in with discourse” button on my webapp? Most of the threads I can find just have info on using an external user database with Discourse, not the other way around.

I don’t need (and would prefer to not use) oauth or anything overly complicated, just a check that the user knows the u/p for that account.

My frontend loadbalancer(s) all emit X-Forwarded-For, and Discourse’s docker nginx config trusts them for it, so just attempting to POST a login should work and not trigger anything like too many login attempts from one IP?


(Dean Taylor) #2

There are not many threads on that topic but check out these:

The first is the kind of the reverse SSO that would get you what you need - however not as simple as checking via a single API call if the user knows the password.

Obviously you could reproduce exactly what the login form does:

  1. grab the /csrf value
  2. call /session passing login and password and passing CSRF appropriately
  3. check the response for a non-error value e.g. not {"error":"Incorrect username, email or password"} or similar

You may be able to avoid CSRF entirely by using a master API key - but you would need to get confirmation / test this yourself.

Obviously I’m talking about doing this server side (could be a PHP app or something on another server).


(Sam Saffron) #3

Discourse implements its own sso protocol, so you could do that.


(jark) #4

so how?

Is there any document or demo to help us ?


(Zinda Xyz) #5

how can is pass csrf token in request

i mean what was the parameter name of csrf token?


(Dean Taylor) #6

It’s a HTTP header X-CSRF-Token

You can see an example of response request for the process completed in CURL here: