A more standardised SSO implementation
-
You know what they say about standards...
Very soon after NodeBB started, we built in support for some of the major SSO providers through plugins like nodebb-plugin-sso-facebook and nodebb-plugin-sso-google.
For all other SSO providers, the ecosystem grew over time with the addition of other NodeBB plugins like nodebb-plugin-oidc-connect or various other bespoke implementations.
Outside of those, our recommendation was to fork out the sso-oauth plugin and make your own changes. I ended up making this template repository because each individual SSO implementation, despite being some variant of OAuth2, had its own intricacies that made it impossible to create a single plugin to cover all cases.
Since then...
A number of things have changed in the past ten years, namely the rise of hosted CRM services with built-in SSO/IAM components, the solidification of OpenID as the de facto standard for SSO, and the decline of OAuth in favour of OAuth2.
We've reached a point where it is safe to assume that a user attempting to implement an SSO bridge with NodeBB would be:
- Using OAuth2.
- Not rolling out their own OAuth2 compatible provider, but instead using a hosted service or common library
... and to that end, we're able to build a plugin that encompasses most of the common configuration cases.
GitHub - NodeBB/nodebb-plugin-sso-oauth2-multiple: NodeBB Plugin for configuring multiple OAuth2 endpoints for login
NodeBB Plugin for configuring multiple OAuth2 endpoints for login - NodeBB/nodebb-plugin-sso-oauth2-multiple
GitHub (github.com)
From within this plugin, you are able to configure the details for each OAuth2 provider:
If your OAuth2 provider supports the
.well-known
configuration route, you can simply populate the "domain" field and some of the remaining fields will be automatically filled out.Due to an additional client ask, this plugin has even been updated so that you are able to add multiple OAuth2 providers, should you want to!
Testing
This plugin has been tested against both Auth0 and Okta.
-
Lastly, keep in mind that sso-oauth is not deprecated, and will still be maintained. It's still a reference implementation for OAuth2 providers that follow the standard loosely. Also it happens to be the only OAuth 1 reference implementation.
-
-
This post is deleted!
-
That's good. Hubzilla already has server-side and client-side OAuth2 support, so maybe this may come in handy.