Edit (3 hours after written) - Rewrote my post to clear up confusion after a reply made me realize it was confusing as written.
It is my understanding that Discourse primarily uses a standard username and password setup where users register with a username and password to create an account.
It is also possible to create an account that still has a username but instead of a password, it uses a third party service for authentication of the account.
It seems this can be via well known services like Google, Facebook, Twitter, etc. and custom single sign-on setups for a site with an existing authentication structure.
I have a few questions related to this behavior:
1. Can an account’s authentication method be changed after it’s created?
Just from looking at the account page for a user, it appears the answer is no.
Which leads me to wonder if so what happens if the user deletes their account on the authentication service to the Discourse account.
Like the user creates a Discourse account that uses authentication via Twitter and later deletes their Twitter account.
Does this mean the user can no longer log in to there Discourse account?
In a situation where the authentication method is a password, it can be reset, I have no idea what happens if the authentication method no longer works.
2. If a user uses another authentication method, can they be automatically logged in upon visiting the Discourse site?
I’m mainly curious in regards to using a custom sign-on setup but I would also be interested to know if this could be done with one like Facebook.
Huh, I did not intend my post to be confusing but it seems I may have done that.
Part of that confusion maybe that some of my questions are things that I could test via the test site but did not realize the test site existed.
It appears I should do some tests and rewrite my post to be more clear on what I’m attempting to ultimately figure out.
Edit: I did rewrite my main post to be more clear on what I actually wanted to know which can’t easily be figured out from using the test site as some of my initial questions could be figured out and are answered.
You can log in with multiple providers as long as they share the same email. E.g. I can use either Google or GitHub on try.discourse.org to log into the same account because I have the same email on both services.
It is however currently not possible to attach multiple OAuth providers to one profile. You can track this request here:
Might be possible with a special SSO setup or plugin but we have no plans to do automatic authentication.
Hmm, that is a bit disappointing.
If I were to setup Discourse to use a WordPress database for SSO and use Discourse for comments then it would be a little bit inconvenient to hit the sign in button for Discourse to post comments if the user is already logged in to WordPress.
I saw that plugin but thought it still had the issue mentioned above.
Namely that once the user clicks the link to the forum topic for the blog post, they will need to click Log In on Discourse to be logged in on Discourse even when they are already logged in to WordPress.
SSO is good but automatic SSO where all installed applications on a web site all automatically login when the user has logged in the SSO provider would be great.
It makes things more seemless for a user to be able to login to a web site and be logged in on all the web applications used on the site and be able to hit a logout button that logs them out from all the applications.
In my case, WordPress as an SSO Provider is more of an example, I like the idea of having a site wide authentication system that is used automatically by WordPress, Discourse and other web applications that might be installed like MediaWiki.