What to do with response from Discourse SSO as provider

I have been working to create authentication for my 3rd party application using Discourse as a SSO provider.

This means I get a response from discourse, to my web app containing the discourse user. Everything works flawlessly until I remind myself that I need to store the user with a token to keep my user logged in. I do not receive a token from the discourse server, which brings me to the following question.
How do I store my user in a secure way after I verify that the nonce I sent over with my payload and the nonce I receive corresponds to one another?

The data I am retrieving from the authenticated user is the following:

If I am displaying ignorance on this topic then feel free to enlighten me.

external_id that we provided to you is stable and trust worthy. You would use that to create your local user record and then you would use your local user ID or something that is glued to the external id as a key in your encrypted session cookie or something.


Hey Sam,
When you say external_id is stable and trustworthy. Do you mean that it is a unique identifier for the user?

Do you want me to make a user in my system based on the user I get returned?

I am getting a querystring returned as I am understanding, and I only check for authentication in the request / response relation event because of my nonce. From here I do not see how I can create a session cookie.

I have followed Arpit’s guide:

but it ends with getting the user returned, and not providing further information about what I could do to create a cookie or token.
Is there any documentation providing these informations?

Thank you for the reply, means a ton

1 Like

Yes, it never changes.

It is not the responsibility of our sso to dictate how you implement secure sessions on your site, you are on your own here. All we do is say to you OK, the session you have now… it is Jane , user id 1. It is up to you to decide what to do with this information, what cookies to write to the user browser, how to enforce your own session security.


For some reason I thought I had to check up with the server that the user is persistently, whom they say they are. I will see what I can do, always appreciating all the help from the forum, thank you.

1 Like