Hello,
I have created an Erlang implementation for encoding/decoding the payloads described in this specification. You can find it here:
https://github.com/reverendpaco/discourse-as-sso-erlang
Feedback is welcome.
Thanks to @mpalmer on another thread for setting me straight.
As I put together this implementation, I realized that the specification does not say too much about a few things:
- the user information that is returned in the query parameters,
- what happens when a user is not found
When I got around to testing I found the answers, and then confirmed by looking at the code, here: https://github.com/discourse/discourse/blob/master/app/controllers/session_controller.rb#L33
I shall assume that in regards to 1. that while new user information may be added, that none of these values (“name”,“username”,“email”,“external_id”, etc) will be removed. This is just as important, contractually as what is described in the main post.
One piece of feedback I’d like to give the Discourse team is that it would be nice to add a means to optionally return back to the calling application in the case of a missing user.
Currently, at line 51 a non-logged-in or non-registered user will be forwarded to the Discourse login page. While this can be useful, I would rather programmatically have the option to learn that this person has not yet logged in (or registered) and give them the opportunity on my site to continue anonymously.
I can imagine something like this:
DISCOURSE_ROOT_URL/session/sso_provider?
sso=URL_ENCODED_PAYLOAD&sig=HEX_SIGNATURE&
returnBackIfUserMissing=true
and then the Discourse site sending back to the return_sso_url with either a special header, or an attribute, rather than redirecting to /login.
This change should be backwards compatible.
I’m new here, so if this is something that could be contributed via a pull-request, please tell me and I could take a shot at it next week.
thanks,
daniel