Switching out authentication for a passwordless alternative

Feature
1

This is post is about a feature that definitely does not exist but that I want to implement myself. At this point though I have no idea how much work it might be and the aim of this question is to try and work out what is required.

Some context, we are working on a passwordless authentication solution. https://trykno.com/ The solution works as a service, meaning the site owners using the service do not have to handle securely sending emails or storing any secrets and personal identifying information.

It would be great for us to have a forum for the project, and would like to use Discourse.
However we need to change out the authentication so that it uses Kno.

Questions?

  • Is the authentication system in discourse pluggable?
  • Are there any hard-coded assumptions that the user has an email?
  • What is the front end framework, (I see ember-rails in the gemfile, but no reference to ember in package.json)

Sorry if these questions are simplistic, I am not a Ruby dev and any handles onto the problem would be valuable. Thanks

2

Assuming you mean “Discourse” :stuck_out_tongue: Yes it is pluggable. You can either develop an auth plugin or use the native SSO system

Yes, every user must have an email in Discourse. You can supply invalid emails (ending in .invalid), but we do not recommend it.

Ember. But for an authentication plugin, it’s unlikely you would need to touch the front end.

6 Likes
3

Ahh embarrassing will update.

It’s a feature that you do know have to know the users email when using Kno, although it can be requested.

2 Likes
4

It’s currently possible not to use a password and just have a link sent to you.

If you’re point is to develop kno, you likely want to develop it as an oauth server. Then people could use it as one of several authentication sources where sso is the only one. See OAuth2 Basic Support

2 Likes
5

I see the possibility of getting a link sent, but kno provides more such as device auth via webauthn once you have confirmed your email onetime.

Developing as an Oauth server unfortunately doesn’t fill the requirements that we need. (I should probably write something in our FAQ as to why this is, but it comes down to know Kno lets you authenticate on one device using a different device).

Looking at things a bit more it looks like I should be able to put together a workable first version by implementing a discourse specific SSO solution.

1 Like
6

Is it possible to use one OAuth provider, and disable all other kinds of authentication?

In such a case it would also be good if clicking login automatically started the auth flow, i.e. without opening the login modal and asking the user to select the provider

7

You might be able to plug that.

But why bother, because once someone is logged in they hardly ever see that dialogue?

You are better off spending your time more productively on other problems.

8

Did you try it? Because that is how Discourse works out of the box for years now :wink:

3 Likes
9

Oh well this is excellent.
no I haven’t tried it because I haven’t implemented the oauth provider for my service, and I guess after that I need to write a plugin because it will be a new oauth provider.

I have nearly finished my SSO integration, so I guess it’s the perfect time to switch over to using oauth. :smiley:

1 Like