SSO with TownNews CMS

Has anyone setup SSO to a Townnews site?

I am not aware of any sites using Townnews or BLOX CMS with Discourse SSO. Do you know if it is possible to add code to a site that uses that service? If the Discourse SSO code can be added to the site, it may be possible to use it as the SSO provider for Discourse.

3 Likes

Sorry, I’m a newb, but using townnews as the sso source is what I meant. What code would I need to add to the site?

This means that townnews would be the SSO provider for your Discourse site. To use Discourse’s implementation of SSO you need to be able to add code to the service that is functioning as the SSO provider. That code needs to hook into the service’s login process. You can find details about the code that needs to be added here: Official Single-Sign-On for Discourse (sso).

For a working code example, have a look at how our WordPress plugin implements SSO: wp-discourse/lib/sso-provider at master · discourse/wp-discourse · GitHub.

It may also be possible to log users into Discourse via Townnews with OAuth2. This would be possible if Townnews can function as an OAuth2 provider. There are details about setting up OAuth2 logins with Discourse here: OAuth2 Basic Support. Before spending too much time on that, it would be good to confirm if Townnews can function as an OAuth2 provider. It should be possible to find that out from their documentation.

3 Likes

I am trying to deal with my site provider but I thought I’d share this with you to see if it had info you could use to help me. I appreciate you taking the time.


Redirect to provider endpoint

Every BLOX-CMS site has a federated authentication endpoint available at the same reserved URL:

https://www.example.com/tncms/auth/federated/

The consumer site initiates authentication by redirecting the user’s browser to this URL. The endpoint requires a parameter return which must be set to the URL of the consumer site’s endpoint.

An example URL:

https://www.example.com/tncms/auth/federated/?return=http://vendor.com/login/

The endpoint also accepts additional parameters:

  • source : This parameter and its value will be passed to the site’s login URL if authentication of the user is required. Templates may react to this value to customize the login form’s interface. Defaults to a value of ‘federated’ if not specified.

  • reauth : Set to a truthy value to force the login page to be displayed regardless of the user’s current login state.

Redirect to consumer endpoint

The consumer site’s endpoint URL is given to the provider in the return parameter when the user is initially redirected to the provider’s endpoint. After successful authentication to the provider site the user will be redirected to this URL along a parameter code. The value of code is to be exchanged for the user’s account details in an immediate follow-up webservice call as described below.

The consumer’s endpoint URL may contain query parameters of its own. The code parameter will be merged into them without clobbering the other values.

It is possible, depending on how the provider site’s templates are written, for the user to arrive at the consumer endpoint without a value for code. In this case the user should be treated as if she opted to cancel out of the authentication process.

An example response on successful login (based on the earlier example):

http://vendor.com/login/?code={code}

Where {code} is a unique identifier for use in the follow-up web service.

Follow-up webservice call

Upon the user landing at the consumer’s endpoint with a valid code the consumer site should issue an immediate webservice call to the provider site to exchange it for the user’s account information.

The consumer site will access the get action of the user module, passing the code parameter it was given by the provider:

https://www.example.com/tncms/webservice/v1/user/get/?code={code}

The response will be a data object of the user’s account as described in the webservices documentation. On an invalid code a null response will be returned.

A code is usable only once. After being used to retrieve a user account it is immediately invalidated and future requests with it will return null responses.

3 Likes

This looks promising: https://help.bloxcms.com/knowledge-base/applications/settings/users/authentication_provider/article_fa0ce6ec-9824-11e4-b296-23bd78ef308a.html:

The Authentication Provider option allows your site to serve as an OpenID Authentication Provider. This means that users of your site may use their credentials from your site to log in to other sites that permit it. Other BLOX CMS sites could act as client sites, permitting this exchange of log in credentials.

It should be possible to configure a BLOX CMS site to function as the OpenID Authentication provider for Discourse. If so, this would mean that users could log into your Discourse forum through your TownNews site. To set this up you will need to install the OpenID Connect Authentication Plugin on your Discourse site. Configuring it could involve some trial and error. Let us know if you get stuck and we’ll try to help.

3 Likes