I originally posted this in the GitHub PR, sorry about that, should have posted it here. I have some thoughts and humble opinions on this and thought I’d share em:
Cool feature! We are currently using two factor authentication with Discourse and OpenAM (oauth2). One advantage of offloading the more complex authentication to an AM solution like OpenAM (or Gluu, or whatever AM solution you want to use) is that it allows for vastly more flexibility then Discourse probably ever will. So while I think its really cool what you’ve made I would just like to point out that it might be wise for the devs to think about how much security complexity they want to pull in to Discourse and where to draw the line and off-load it to other solutions.
When reading about this feature request, I think the team want this in the core. So here it is. And you can still use the third party service without a doubt! It’s optional.
I use openAM at work and we do authentication at reverse proxy level, using lua on nginx. To integrate with discourse was just a matter of creating one more nginx endpoint that responds to discourse SSO requests, we used lua too, so everything openAM is handled at nginx.
@Lee_Ars I fell here searching for another topic and I’m not really interested in this one, so I have honestly little clue what you’re talking about, but… Just wanted to thank you for mentioning PAM there. I enjoyed reading a few other offtopic bits here.
Since we’re nearing the end of the year I’ll give this thread my yearly “hey @sam we would love 2FA” bump Duo, Yubi, or just plain ol’ TOTP—anything would be great.
Perhaps, and we totally love 2fa at Discourse, but none of our paying customers are pushing for it. Keep in mind, if you use Google, you get 2fa for free by the virtue of using Google.
Hopefully, this will be implemented very soon, security is 100% very important too me, even a site setting “Require two factor authentication to enter admin panel” is a great idea. I’m with this idea!