Wondering if anyone can improve upon some existing SSO plugins for Mediawiki (e.g. Extension:PluggableSSO - MediaWiki ) to make this work without need for too much tech skills (i.e. entering all necessary info on a settings page and whoopee)
It operates as a plugin for the PluggableAuth extension. I haven’t put this on any public-facing sites yet, and it sorely lacks unit/etc tests, but it does seem to work so far. It should not require any tech skills beyond those needed for installing/configuring any other MediaWiki extension.
Hi , I wrote this SimpleSAMLphp authentication module to be able to use Discourse as an SSO provider within a SimpleSAMLphp installation. I.e. you can use Discourse as an SSO provider for any services that supports SAML or Shibboleth authentication, which is really nice.
That’s great! If you’d like to make the module more visible, you could create a topic about it in our #plugin:extras category. That category is a directory of all extensions & integrations for Discourse which are not Discourse plugins,
Is it possible to include a state parameter that gets returned unchanged, like as is done in OAuth? Asp.net core authentication middleware depends on generating a correlation id to prevent CSRF attacks, and I don’t currently have an easy way to include this.
@jessicah I tried this today and yes, it works fine.
' Create a Return URL
Dim strReturnURL As String = "https://www.example.com/authtestRETURNURL.aspx?myownparametershere=surewhynot"
' Generate a random nonce. Save it temporarily so that you can verify it with returned nonce value
Dim strNonce As String = Guid.NewGuid().ToString("N")
' Create a new payload with nonce and return url (where the Discourse will redirect user after verification)
' Payload should look like: nonce=NONCE&return_sso_url=RETURN_URL
Dim strPayload As String = "nonce=" & strNonce & "&return_sso_url=" & strReturnURL
Then on the page which is called back you’ll find this inside your decoded SSO query string:
Multi-site approaches to using discourse-auth-proxy?
Are there any examples or recommendations for using Discourse as SSO provider for multi-site authentication?
It seems like the there are two basic multisite approaches:
Use multiple instances of discourse-auth-proxy, one per site protected.
Use a single instance of discourse-auth-proxy so the payload containing return_sso_url changes based upon the source of the login request.
I think either of these could work, but the issue with these two approaches, is
that you still require logging into each different site.
There is also the risk that something is stored in Postgres that will get overwritten by each login from the different sites. ie: site1.com. site2.com
(I don’t know the details of Discourse auth/PG schema, so I don’t know)
What would be ideal is a way to have login performed once, which gets you logged into all the sites in the multi-site group. ie, site1.com, site2.com, site3.com
Apparently Stackoverflow does this using a combination of localSession storage and Iframes as the main enabler. tech description
But I’d really love to know if someone has implemented any approach to
multisite login using Discourse as the SSO provider.
approach 1: multiple instances of discourse-auth-proxy
approach 2: hacked discourse-auth-proxy affecting return_sso_url in payload.
approach 3: #1 or #2 implemented such that logging in once, means you do not have to login again when moving from site1.com to site2.com
I am tagging you @sam, since you originally authored the Go discourse-auth-proxy program.
The problem is that the return to url will be handle by the urldecode function in PHP(it’s the core workflow in MediaWiki Authentication), and the wpLoginToken value will be unexpected change from 123+\ to 123 \.
Since the provider and the non-provider settings are for opposite use cases—using Discourse to manage users for something else versus using something else to manage users for Discourse—displaying these settings mixed together invites misconfiguration. It would be less confusing if the two provider settings were consecutive and either entirely before or entirely after the non-provider settings.
@mdoggydog Thanks for the recent update to the DiscourseSsoConsumer MediaWiki extension. We’d been puzzling over what to do about users being logged out of our wiki without having logged out of Discourse, and $wgPluggableAuth_EnableAutoLogin was definitely not what we wanted, since it prevents anonymous access to the wiki. The $wgDiscourseSsoConsumer_AutoRelogin setting you added is exactly what we needed.
I am trying to use the PHP example from the original post, but the way they’re storing stuff doesn’t make sense. They’re just storing values in an SQL database with the keys login and nonce. If I want to use SQL to store the nonces what would my SQL database look like exactly?
Some other info that might help is what I’m using this for - I am hoping to link a Discourse user to a Minecraft account by generating an SSO link which is tied to their UUID. Upon successfully logging in with Discourse, I’m going to store their UUID and Discourse ID in a table.
So far, I was able to get the PHP example working, but I guess I’m not fully understanding how I’d have to modify it to work for my use-case. Ideally, I want to generate the link through a GET request and send it to the user, so the UUID is already associated with the nonce.
Thank you for this post, as I would be even more lost without it!
Edit: For nonces would I just be better off storing nonces in the table and look up by that? I know I need to match the nonce but, unless I can pass additional information through in the redirect URL (which I haven’t been successful doing so) I’m not sure how to reference the nonce properly.