Using PHP sessions with nodebb?
-
@pwFoo said:
So I would prefer an direct auth method between (php) cms and nodebb.
The OAuth plugin method is actually a direct login method, unless I am not understanding what you are trying to say.
OAuth is a login mechanism, which allows you to enable third-party applications to handle logins through the same username/password mechanism you have running at the moment.
For example, check out the new "Log in via NodeBB.org" button in the login page of this site. It leads to a standalone login page, and utilises OAuth2.
-
@zackiles I just happend to have had a similar problem. I just wanted to know whether a user is logged in to nodeBB. i tried the approach you outlined, but it failed because the token didn't match. I was able to get it to work though by using a token parsed from /login/ instead. POSTing this token along w/ username/password did the trick.
-
I'm actually dealing with this right now. I went through the trouble of creating an oauth2 api server and customized the nodebb-plugin-sso-oauth plugin to work with it. However, this is quite a bit of overkill just to have my site users authenticated with the forum. Both the forum and the main site sit on the same server, there's no reason nodebb couldn't authenticate against the same database or share the session.
The points raised here about using the API to authenticate with nodebb simultaneously while logging into the main site are intriguing and will require additional research.
Ideally I'd like to have my users visit the forum page and seamlessly be logged in without any additional clicks or page visits on their part. I don't see the need for an intermediary "Do you authorize this site?" page.
Also, and this is to the devs. It's a little disheartening to see you say "use oauth" every time someone has a question about application integration. OAuth is extremely complex and is like using a flamethrower to light your blunt. It shouldn't have to be that hard, especially if the only authentication integration the site owner is doing is with this forum. Why should I have to create an entire additional API system just to support single sign on? This is not a service I'm providing to my users for other sites. It's not like they're going to visit some other page and try to login with credentials from my site. I'm not twitter/facebook/google, etc.
There's got to be a better way.
-
@KingCat said:
Also, and this is to the devs. It's a little disheartening to see you say "use oauth" every time someone has a question about application integration. OAuth is extremely complex and is like using a flamethrower to light your blunt. It shouldn't have to be that hard, especially if the only authentication integration the site owner is doing is with this forum.
Thanks for your thoughts on the matter. It's definitely given me something to think about, and we're not tied directly to any one method, per se.
Depending on what you're looking for, there are different strategies that you can utilise to accomplish your task.
Share credentials with another site? Use OAuth2, mostly because it is standardised. The alternative is to have other people build their own integrations with a standardised NodeBB SSO interface, but I feel that this is unnecessarily self-indulgent, especially when OAuth2 is a secure and well-tested system.
Check login credentials on another site via API call? You can build a plugin that attaches a listener to
action:auth.overrideLogin
. Then you can do whatever you want and log the user in if the provided username/password matches. (For example, you could use this hook to check creds on an SQL database) -
@KingCat said:
I'm actually dealing with this right now. I went through the trouble of creating an oauth2 api server and customized the nodebb-plugin-sso-oauth plugin to work with it. However, this is quite a bit of overkill just to have my site users authenticated with the forum. Both the forum and the main site sit on the same server, there's no reason nodebb couldn't authenticate against the same database or share the session.
The points raised here about using the API to authenticate with nodebb simultaneously while logging into the main site are intriguing and will require additional research.
** Ideally I'd like to have my users visit the forum page and seamlessly be logged in without any additional clicks or page visits on their part. I don't see the need for an intermediary "Do you authorize this site?" page.**
Also, and this is to the devs. It's a little disheartening to see you say "use oauth" every time someone has a question about application integration. OAuth is extremely complex and is like using a flamethrower to light your blunt. It shouldn't have to be that hard, especially if the only authentication integration the site owner is doing is with this forum. Why should I have to create an entire additional API system just to support single sign on? This is not a service I'm providing to my users for other sites. It's not like they're going to visit some other page and try to login with credentials from my site. I'm not twitter/facebook/google, etc.
There's got to be a better way.
For me this is the key point. It would be great if the forum feels like the actual site. One login -> site + forum access.
I'm expecting to have some time to test the oauth2 approach to integrate Nodebb with wordpress site, but i'm concerning if this approach is transparent for the user at the time on login at the forum, because i don't really like an intermediary page in order to log in to the forum. As i said it would be great to have a solution to integrate it, with 1 login and feel like the forum is part of the site.
One example of what i'm trying to say can be seen on the QT site. You sign in to the site, but if you go to the forums, you have to log in again, using the Oauth approach.
It would be great it this could be simplified, to make only 1 login for both. -
@julian said:
Check login credentials on another site via API call? You can build a plugin that attaches a listener to
action:auth.overrideLogin
. Then you can do whatever you want and log the user in if the provided username/password matches. (For example, you could use this hook to check creds on an SQL database)This is amazing and exactly what I was looking for. I'm going to hit this hard and try to make something that works. Thanks a lot!
-
@julian That would be awesome. I just started with the quick start plugin and I'm like ......... ok what now? lol. Anything you can do to help shave some time off the next few dozen hours of familiarization would be much appreciated.
-
@KingCat In a nutshell, this is the base code you'll need in your plugin:
How to create a login override plugin
How to create a login override plugin. GitHub Gist: instantly share code, notes, and snippets.
Gist (gist.github.com)
The plugin creates its own passport-local object (because if the hook is listened for, the passport-local object that is normally created by NodeBB is skipped). Since it replaces the local login for NodeBB, the same username/password dialog is used on the NodeBB frontend.
-
I really like how Vanilla Forums does it. http://blog.vanillaforums.com/help/vanilla-jsconnect-single-signon-on/
You provide a page that gives it the information someone needs when they're logged in https://github.com/vanilla/jsConnectPHP/blob/master/index.php
Then it has a plugin for the forums itself where you give it the URL for your registration page, and URL for that auth page.Even if the solution is "use OAuth", there should at least be a NodeBB plugin that has those settings to input for those URLs for your OAuth landing.
-
@Sadtaco said:
Even if the solution is "use OAuth", there should at least be a NodeBB plugin that has those settings to input for those URLs for your OAuth landing.
Yea, there is, it's called nodebb-plugin-sso-oauth. It's what I finally ended up using to integrate my site. It works pretty well actually.
-
@KingCat said:
@Sadtaco said:
Even if the solution is "use OAuth", there should at least be a NodeBB plugin that has those settings to input for those URLs for your OAuth landing.
Yea, there is, it's called nodebb-plugin-sso-oauth. It's what I finally ended up using to integrate my site. It works pretty well actually.
That's not a complete plugin, though. I don't fully get what I would need to fill in to have it work if I were to fork it. And if I were to fork it, then I'd have a public plugin for my private accounts.
A full plugin would have an admin page where you input what is needed, and more of a guide on how to set up the OAuth end of things where the accounts are. -
@Sadtaco This was the original intention of the sso-oauth plugin, but because the last step of the OAuth handshake is a call to a "get user info" style route from the other site, the logic for handling this cannot be determined ahead of time, and thus I cannot fully automate the plugin in that way.
-
@julian I see. Well I'm trying to basically port Vanilla's plugin to Nodebb, but I'm not sure if I'll be able to so it'd be cool if you devs had some official, simpler solution like it.
Vanilla's is really easy. You give it the url for your registration and login page, and a url where it expects JSON to return for a users name, email, etc if they're logged in. If they're logged in, it creates a Vanilla forum user for them if one doesn't already exist. If they already on, it just logs them in normally as if they typed in their username and password on the Vanilla forums.
So no matter what auth system you use, you can use your own API to output the JSON it wants, so long as the client-id and secret key supplied matches up as well. I have my own accounts system and it took me like <1 hour to read the documentation for how to set it up with Vanilla's and do a custom implementation.
Reading the oauth plugins on the other hand, I'm rather clueless on what I need to do to make it work for my own, and what I need on my own site's end of things. Like looking at the BNET plugin, I can't figure out what "clientID: process.env.BNET_ID" and "clientSecret: process.env.BNET_SECRET" are, among other things. It's just too in depth for something that should be simpler.edit: Actually I see what the process.env are. They're user environment variables. But well, still, the oauth sso is way more complicated than I think a lot of people will want.
Like if I want to replace the profile, I'd rather that have a separate plugin replacing the profile. Not part of the OAuth implementation. I imagine I can just cut that out while forking, but still. I wish there was something as simple as Vanilla's JSONP SSO.And as I look through more, I'm not seeing why authorizationURL, tokenURL, clientID, clientSecret can't just be on settings pages instead of constants, with an oauth/oauth2 radial.