What is the best SSO approach?


(Dylan Burkhardt) #1

I have created a bit of a mess with logins from various different services on my website and am working to consolidate things.

Currently, I have Disqus Comments, Discourse Forum, WordPress Users (for subscriptions/membership) and legacy users that login to both WordPress and Discourse through Patreon (OAuth).

Safe to say, it is all a bit messy.

My plan is to consolidate the comments into Discourse, but I want to consolidate the WP/Discourse users as best as possible. My gut tells me that I need to use WP as the SSO Provider because of the membership features that I’m using on the WP site, but overall I am definitely not sure. If I do that, users could sign in to read content on the main page and click to join the discussion and be good to go.

The documentation also recommends doing the opposite, but that seems to assume that Discourse is the main tool. Am I going to create problems for current Discourse users if I use WP?

Any pros/cons or suggestions here?


#2

Yes – if WP is handling membership records then this makes sense.

Nope!


(Simon Cossar) #3

I think you’re on the right track. I’m wondering where you’re seeing this:


(Dylan Burkhardt) #4

Seems like there were a couple places that suggest using Discourse as the SSO provider is better since Discourse has a stronger user management platform. I.e.: “Note: Discourse has a very good user management system. Don’t enable this setting unless you have a reason to manage your users through WordPress.”

Then again, my use case seems to qualify as a ‘reason’ so that makes sense too. Just didn’t want to mistakenly go down the wrong path.


(Dylan Burkhardt) #5

So is it possible to use WP as a SSO provider (auto login potentially) and then still have Discourse users be able to login (via Discourse) to the forum without creating a WP account?

I’m guessing this is a one or another, but maybe I’m missing something.


(Simon Cossar) #6

No, with WordPress as the SSO provider, users can only login and create accounts through WordPress.


(Dylan Burkhardt) #7

Thanks, that makes sense now that I think about it.

Would be hard to explain to all of the previous Discourse users that they need to create a new account, etc. Seems like I’m going for the best of both worlds when I can only get one.

Is there any sort of best practice to migrate Discourse users to WP/auto create accounts or allow users to login to WP with their Discourse creds and create an account? Probably not because the Discourse auth would be turned off, right?


(Simon Cossar) #8

Probably the easiest approach would be to export the user data from Discourse and then import it into WordPress. You can export a CSV file of Discourse users through the admin section. There are WordPress plugins for importing users.


#9

The csv export doesn’t include passwords, so you’d have to have users go through a password reset routine or assign passwords during the csv import and email them to your users.


(Dylan Burkhardt) #10

Yes, that’s what I expected. So they’ll all have to get an email to reset their password. Looks like some plugins for WP that Import users can auto-send that message.


#11

If you have a lot of users, and they all try the reset lost password routine in a short period, you could have email deliverability issues as ISPs will think you are spamming them and throttle the messages WP sends out with the password reset link. I made that mistake and did it this way, then had to monitor the Mailgun logs for problems.

You could assign a random password to each user, then use a mail service like Mailchimp to send each individual a customized email using merge tags to include their username and password.


(Dylan Burkhardt) #12

Good tip.

It’s almost like what I really need is the ability to use WordPress as an OAuth provider more than a SSO provider. Then I can skip a lot of these headaches potentially even if they have to click ‘login with WordPress’.

Now that I’m thinking about it more… Would this scenario actually work better:

  • Discourse as SSO Provider
  • Users can still register for forum
  • Accounts that have a login for both forum and WP will be synced by email and will auto login if logged into the forum.
  • Can login to WP by their WP credentials or ‘login via Discourse link’

The only drawback I see here is that new WP users wouldn’t automatically have a Discourse account created. That seems to be the only con, but a pretty big one.