I would like to lower the hurdle to login in our school forum by the following procedure:
Links sent by mail to the (mostly non-public) forum should contain the username of the addressed user (like
If a not logged-in user opens this link, a page offers to send a login link by clicking a button.
If clicked, a login with a login token should be sent to the user, which then allows them to open the target page without further interaction for a specific time. Otherwise, a “resend login link” button should be offered.
Has this already been implemented somewhere?
If not: which machinery exists, which could be used to implement it?
You want to use DiscourseConnect such that users logged in to your system are also logged into Discourse.
Setup DiscourseConnect - Official Single-Sign-On for Discourse (sso)
There is no other system.
Most of the users use the forum only by mail.
We already support login via email:
So automating/simplifying this is certainly feasible.
Yes. This is our prominent way to log into the forum. But for a big part of the users, this seems to be too difficult.
In addition, we face the problem that some users use non-identical email addresses in their communication. For example,
(at)googlemail.com, or email addresses with or without added dots in the username. They do not remember which email address they once wrote on the paper (yes, sorry, it’s Germany) registration form and are either unaware of these problems or of the possibility to learn about their “login email address” by checking their mail headers.
Therefore, I am investigating a way that links sent to users allow users to log in without further knowledge of how to use the Discourse login procedure.
There is certainly a security risk, if you are comfortable to accept it, some automation that generates the links we generate when you try to log in via email, is certainly feasible, as long as they already have accounts.
Hm. I tried to circumvent this in my proposal.
I understand that links which would log users in directly are dangerous.
But with the suggested mechanism, the only risk I see is users getting unwanted login links sent to them.