What security risks may be involved with others knowing the sso secret?
My WordPress install is multisite and multiuser. There doesn’t seem to be a way to set Discourse settings at the network level from the WP plugin. This doesn’t seem to be a huge problem otherwise (though it would smooth workflow), but I can’t find a way to prevent the subsite admins from having access to the plugin settings, which include the sso secret.
Discourse is using the network level user table as the endpoint so that the Discourse users are basically an aggregate of all sites. I’d rather not provide access or security holes for subsite admins to see the full network user list/details. All of the subsite admins do not have admin/moderator privileges in Discourse. In effect, my Discourse admin privileges are more like Super Admin privileges in Wordpress multi-site, and the lack of plugin settings at the network level blurs this line.
Have I simply failed to discover the plugin’s network level settings? If not, is anyone working on improving Wordpress multisite compatibility?