Wordpress SSO AND Patreon Login

Hi again! I had a question. A client of mine wants to gradually move his membership from Patreon to Wordpress (via Woocommerce Memberships). I know this is possible based on other forum posts.

However, my question is, if we enable SSO with Wordpress as the provider, is wordpress the ONLY way to sign into the forums? Would enabling SSO with Wordpress no longer allow Patreon users to sign in via their Patreon accounts? Or, is it possible to have both running together?

Sorry if this is confusing or the wrong place to be asking this.

Thanks in advance!

Yes, the first S in SSO is Single. Wordpress becomes authoritative for all authentication.

That said, if Patreon is providing user email addresses the users can register on Wordpress to get back into their accounts providing the use the same address.

You could also allow users to login to your WordPress site via Patreon with Patreon WordPress – WordPress plugin | WordPress.org. I have not tested this, but it should be possible to allow users to login to WordPress via Patreon while still having SSO login between WordPress and Discourse. If you try that and have any problems getting it to work, please let us know.

Hi! I have tested this setup and it basically works!
The only issue I found is that it doesn’t redirects to Discourse after successful login - it returns user to wordpress. User have to manually go to Discourse and then hit “Log In” button again to get registered. I wonder if this can be fixed somehow?

I have recorded the video to show how it works -

Thanks for trying that. It sounds like the SSO parameters that are required for logging the user into Discourse are getting stripped during the Patreon login process. If that is the case, there probably isn’t anything that can be done to fix the issue.

I wonder, can this be fixed by modifying Wordpress-Patreon plugin? Does it worth to contact its authors?

If the cause of the issue is what I think it is, then modifying the WordPress Patreon plugin could fix the issue. What I think is causing the problem is that the WordPress Patreon plugin is stripping the sso and sig query parameters that are sent with the Patreon login request. It could be worth contacting that plugin’s developers about the issue.

Before doing that, you should confirm that clicking the Login button on Discourse, for a user who is not currently logged into WordPress takes the user to the WordPress login page. If the user then selects the Patreon login option, they are logged into WordPress but not logged into Discourse. Note that if your Discourse site is set to be private, the above should happen if a user browses directly to your Discourse site. For that case, the user will not see a Login button on Discourse.

Hi! I have submitted report to Patreon Plugin developers - Redirecting not working when using together with Discourse SSO - Patreon Developers

Yes, I can confirm that:

• clicking the Login button on Discourse , for a user who is not currently logged into WordPress takes the user to the WordPress login page - YES

• If the user then selects the Patreon login option, they are logged into WordPress - YES

• but not logged into Discourse - YES - on the video above at 0:32 it shows the user is not logged in.

Okay, I have found a workaround, which is “fixes” the issue with Patreon login. Please find instructions below.

You will need:

• Any plugin, which provides a shortcode to display login form (I have WooCommerce installed on my site, so I used [woocommerce_my_account] shortcode, which does exactly this for non-logged in users).
• Members plugin, which provides [members_logged_in] and [members_not_logged_in] shortcodes to hide/show content depending on if user is logged in or not. You can use any other plugin which provides similar shortcodes functionality.
• Shortcode Redirect plugin.

The idea is to create a special page, which displays a login form (and Patreon login button) for non-logged in users. And if user is logged in, then it should redirect to 'https://community.morevnaproject.org/session/sso?return_path=%2F` url.
(Obviously, you will want to replace “community.morevnaproject.org” with your own domain).

My special login page has the following content:

[members_not_logged_in]
   [woocommerce_my_account]
   [patreon_login_button]
[/members_not_logged_in]
[members_logged_in]
   [redirect url='https://community.morevnaproject.org/session/sso?return_path=%2F' sec='0']
[/members_logged_in]

(you can see it in action here - https://morevnaproject.org/log-in-discourse/)

Then, all you need is to configure WP-Discourse plugin to use that page for SSO -

screenshot_001946×635 67.6 KB

When user clicks “Log In” button in Discourse, he is redirected to my special Wordpress page. As the user is not logged in, it displays login form. If user clicks “Log in wiht Patreon” button, then he is redirected to Patreon for authorization. After successful authorization he is redirected back to my special page. SInce user is now logged in, then “redirect” shortcode is activated:

[redirect url='https://community.morevnaproject.org/session/sso?return_path=%2F' sec='0']

…and user successfully redirected back to discourse forums.

The session/sso?return_path=%2F part at the end of URL is required, otherwise Discourse will not recognizes user as logged in after redirect.

That’s it! I hope this will help other users, who want to have Wordpress SSO with Patreon Login on their website.

Nice work in figuring that out

I don’t want to detract from the work you’ve done, but my first take on this is that you should consider using an external auth service (such as okta.com or auth0.com) at this point. Whenever you reach the point of connecting three different services (e.g. Patreon, Wordpress and Discourse) to achieve a single authentication in one go, it’s a sign you should be considering a dedicated authentication solution. Whether or not you can achieve it somehow, there’s a decent long-tail risk here that your solution will break down, or not work in all cases.

If you still want to go down this path, I have some suggestions, but fair warning that this is going to get a bit technical. I’m partly adding these here in case anyone else comes across this and wants to take this further.

I took a quick look at the Patreon Wordpress Plugin code and it looks like their OAuth flow accepts a final_redirect_uri key/value in the state param which would allow you to go directly from Patreon authentication to Discourse SSO, removing the need for both the Members and Redirect plugins mentioned above, and eliding any issues that may arise with that approach.

Many authentication services have a version of the final_redirect_uri parameter, i.e. a parameter which will allow you to change where the user is sent after authentication. If you’re reading this because you’re trying to solve the same problem, but with a different service (i.e other than Patreon), and you’ve also decided that my warning against connecting 3 different services doesn’t apply, then that is where you should look.

That means you’d want the shortcode that generates the Patreon login button to accept a final_redirect_uri as an argument, which would then be passed down to the eventual login url used by Patreon. Looking at the Patreon Wordpress Plugin code, that’s a feasible proposition. To give you a sense, the relevant function that generates the Patreon url looks like this:

Patreon_Frontend::patreonMakeLoginLink(false, array( 'final_redirect_uri' => # ) );

Basically, the code is already partially set up to handle a custom final_redirect_uri. I can understand why the Patreon Wordpress Plugin developers might not want to add it, but if you feel you’re confident enough with describing what I’ve described here, it might be worth creating an issue on their github repostiory. Failing that, you can use that function I’ve referenced above to generate a link yourself and create your own button (or hire a Wordpress developer to do that).

Just a minor note on the sso url construction, it’s a bit clearer to use

https://discourse.example.com/session/sso?return_path=/

instead of

https://discourse.example.com/session/sso?return_path=%2F

That last bit, the return_path, is the path the user is being sent to in Discourse after login. If it’s / they’ll be sent to the forum homepage. For more on SSO url construction, see WP Discourse Tips and Tricks.

+1 yes, there is a risk!

Woah, thank you so much for the detailed instructions! So, it makes sense to modify [patreon_login_button] shortcode to accept final_redirect_uri parameter, and make a PR to their github repo. Thanks again for taking your time to explain!