NodeBB Oauth SSO Plugin and Wordpress
-
I read through the article. Instead of playing nice with other websites, Discourse is instead reversing the SSO process, with a new format that must be built against their existing SSO schema.
... meaning if you wanted to enable logins via your WordPress install, and there isn't one already built, you'd have to write a WordPress plugin that consumes the Discourse SSO API.
I'm not saying this is a bad idea, I'm trying to think critically of both options (Ours vs. Discourse)...
Discourse SSO
Pros
- Once a WP plugin is built, it does not need to be built again
Cons
- Only one external login method is supported
- If you wanted to allow Google Accounts and accounts from your WordPress install, this is not possible
- SSO plugins for major providers must be done from Discourse, whereas minor providers (e.g. a self-hosted WP install) must be done to Discourse. This flip-flopping is confusing.
NodeBB SSO
Pros
- Public APIs for all major sites are already built (via PassportJS), trivial to create a plugin if already supported by PassportJS (fork existing fb plugin, change parent library).
- Once a NodeBB SSO plugin is built, it does not need to be built again
- All SSO integration is done from NodeBB
Cons
- A NodeBB plugin must be built for each OAuth provider
- ... or customised to consume an OAuth endpoint provided by something like OAuth2orize
- Establishing integration for a minor provider means work must be done at both ends (WP OAuth plugin and NodeBB plugin)
Final Thoughts
- As mentioned prior, the idea that some SSO integrations are one way, while others are in reverse is confusing, and places minor providers as second-class citizens (major providers allow login via other providers, while minor providers take over the login process completely)
- Both methods pose a significantly high barrier to entry (programming knowledge required until plugins have been created)
- Handling your own encryption and security for login is scary, and I don't pretend to know everything about it. This is why NodeBB uses bcrypt for password hashing, and depend on other providers to properly maintain login integrity.
-
@Julian I was vaguely aware of passport, but I just had a closer look and it's seems like an great plugin to have with over 50 mainstream sites strategies already available.
I hadn't really thought about the Discourse con of only one external login but when you thinkabout it but it is a big con. Ideally you want to have multiple login options for end users so that's some thing to think about.
The Nodebb cons are also to be considered, even with passport there is still a bit to be done for each provider.
-
Ok guys, here is my first stab at trying to get the Wordpress plugin working and I am failing miserably so far. I keep getting a 404 at Nodebb whatever I do. Frustrating.
@Julian thanks for the passport link, I was vaguely aware of it and since I am currently trying to understand SSO and have been reading the OAuth 2.0 draft it was helpful to go through all the strategies.
WIth my slighter better understanding the Google SSO plugin seems to be the closest fit to the Wordpress Oauth2 plug in.
Here is a screenshot of the token endpoint
And of the access user profile endpoint
And here is my first attempt at a custom strategy. The data is provided in json by the wordpress plugin. Only including the changed bits from the Google Oauth2 strategy. Please note the Wordpress Oauth 2 plugin does not work without the 'state=' parameter.
function Strategy(options, verify) {
options = options || {};
options.authorizationURL = options.authorizationURL || 'http://example.com/oauth/authorize?state=2020';
options.tokenURL = options.tokenURL || 'http://example.com/oauth/request_token';OAuth2Strategy.call(this, options, verify);
this.name = 'wordpress';
}Strategy.prototype.userProfile = function(accessToken, done) {
this._oauth2.get('http://example.com/oauth/request_access', accessToken, function (err, body, res) {
if (err) { return done(new InternalOAuthError('failed to fetch user profile', err)); }try { var json = JSON.parse(body); var profile = { provider: 'wordpress' }; profile.id = json.ID; profile.displayName = json.user_nicename; profile.name = json.user_login; profile.emails = [{ value: json.user_email }]; profile._raw = body; profile._json = json; done(null, profile); } catch(e) { done(e);
-
Any update on a Wordpress SSO?
-
@Tanner said:
Any update on a Wordpress SSO?
Should be pretty simple to be honest. There's a passport for it. For you, I'll see what I can do.
EDIT: The passport is for Wordpress.com Damnit.
I'm going to have to install Wordpress and look through a few plugins.
-
Hey Everyone,
I know this thread is a bit old but I thought I would chime in here being the developer of the WP OAuth Server plugin you mention here.
@Tanner I recently published the OAuth client plugin for WordPress. If you are still interested, you can visit https://wp-oauth.com. The plugin is a premium plugin but is very reasonable.
To everyone else, I am not familiar with the platform you are using but I do have a very good understanding of security, authentication via WordPress and core of WP OAuth Server. I am open to helping where ever I can. If anyone needs a hand, shoot me an email, reply back here or submit a support request either on at https://wp-oauth.com or the WP forums.
Looking forward to helping where I can.
-
@Justin-P-Greer Very cool to have you here. Welcome!
Poor @raul has been waiting months for this, and I promised to help him out but I ended up getting very sidetracked by other issues with NodeBB.
As long as your WP plugin can establish a standard OAuth2 endpoint, we can probably build something against it.
-
The plugin uses the "oauth/authorize" and "oauth/token" for authorization. This is to spec for OAuth2. Now as far as the resource API, there is no spec given as long as the acess token is given. Current the endpoint for the user resource is "/oauth/me?access_token=xxx". The "me" endpoint is there by default and returns basic information about the user from WP user meta fields. It can be modified very easier using WP filters.
You can visit the documentation or just shoot me an email if you need anything.
-
I'm interested in this too. Was exactly thinking about using your wp plugin to achive the mentioned functionality. What a coincidence.
-