So you want to use Discourse as an identity provider for your own web app? Great! Let’s get started.
Under Discourse admin site settings (/admin/site_settings) enable setting
enable discourse connect provider and add a secret string to
discourse connect provider secrets (used to hash SSO payloads).
Generate a random nonce. Save it temporarily so that you can verify it with returned nonce value
Create a new payload with nonce and return url (where the Discourse will redirect user after verification). Payload should look like:
Base64 encode the above raw payload. Let’s call this payload as
URL encode the above
BASE64_PAYLOAD. Let’s call this payload as
Generate a HMAC-SHA256 signature from
BASE64_PAYLOADusing your sso provider secret as the key, then create a lower case hex string from this. Let’s call this signature as
Redirect the user to
If the above steps are done correctly Discourse will redirect logged in user to the provided
RETURN_URL. You will get query string parameters with
sso along with some user info. Now follow below steps:
Compute the HMAC-SHA256 of
ssousing sso provider secret as your key.
sigfrom it’s hex string representation back into bytes.
Make sure the above two values are equal.
sso, you’ll get the passed embedded query string. This will have a key called
noncewhose value should match the nonce passed originally. Make sure that this is the case, and be sure to delete the
noncefrom your system.
You’ll find this query string will also contain a bunch of user information, use as you see fit.
That’s it. By now you should have set up your web app to use Discourse as SSO provider!
- An http proxy (using golang) that uses Discourse SSO to authenticate users (only Admins): GitHub - discourse/discourse-auth-proxy: An http proxy that uses the DiscourseConnect protocol to authenticate users (made by @sam)
ASP.NET Core (only requires configuration):
GitHub - Biarity/DiscourseSso: Easy, configurable Discourse SSO: GET /auth/login -> recieve a JWT with user data