Upon doing some further digging around, I wonder if a slightly less hacky solution would be to adapt the approach described by @simon in this post: Automatically login via SSO
- Enable “sso allows all return paths” setting
- Add a hidden iframe on my page, which loads
https://discourse.example.com/session/sso?return_path=path_to_mypage.html - When the user is logged in (no interaction, since the user already logged in via SSO into the app in the parent page) and the iframe is redirected to
mypage.html, it can communicate to the parent page via postMessage() that the user has been logged into Discourse, and trigger the script to embed the forum topic.
Still doesn’t seem like the ideal solution, since it will generate extra round-trips (the above process is only really necessary if the user is not already logged into Discourse).
It seems to me like the ideal solution would be if it was somehow possible to preserve the referer URL of the embedding page when it gets redirected through SSO.
Edit: I implemented the improved “hack” described above in this post, and at the very least I can say it works much better than the original hack that I described in the OP.