General OpenID login plugin development

NodeBB Plugins
  • I'm trying to create an OpenID auth login and I need help.

    According to other SSOs and auth plugins there is a difference that there is no need for admin page with api/app key but before going to /auth/openid there is a form required to specify an OpenID identifier (url) so it POSTs to /auth/openid with open_identifier variable set, which might be different for every user.

    I've tried to create an '/auth/openid_form' route and add there a static page with a form (hooked to filter:server.create_routes)

    where the form is:

    <form action="/auth/openid" method="post">
            <label>OpenID identifier:</label>
            <input type="text" name="openid_identifier" size="40" /><br/>
            <input type="submit" value="Sign In"/>

    I can display the form by browsing to /auth/openid_form but when I enter anything I get Error: Forbidden:

    Error: Forbidden
        at Object.exports.error (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/utils.js:60:13)
        at Object.handle (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:41)
        at next (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/proto.js:190:15)
        at next (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/middleware/session.js:313:9)
        at /home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/middleware/session.js:337:9
        at /home/nodebb/www/nodebb/node_modules/connect-mongo/lib/connect-mongo.js:220:17
        at /home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/collection/query.js:147:5
        at Cursor.nextObject (/home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/cursor.js:733:5)
        at commandHandler (/home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/cursor.js:713:14)
        at /home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/db.js:1806:9

    If I do not fill anything as open_identifier /auth/openid just responds 'Unauthorized' which seems ok to me.

    I am not sure if this is CSRF issue with recent changes in express/connect or if I am doing something wrong.

    Actually, there is another thing... how to add this form into a strategy so it is asked before using passport.auth? I mean, if I push strategy with URL /auth/openid it works fine but I need the link for OpenID login to go to /auth/openid_form first and not call passport.auth on this route and call passport.auth later on /auth/openid

    Tips or any heads up? 🙂

  • Hmm... the "Forbidden" error is definitely a CSRF issue... in StackOverflow, they ask for this during login for OpenID:


    Is this what you're trying to create?

    Ensure you're passing in a hidden input field with id _csrf in your form.

  • @julian thanks. I've fixed the csrf issue.

    another issue appeared 🙂

    I hook the form page on the route /auth/openid_form with action posting to /auth/openid
    also I add the strategy with route /auth/openid

    If I fill the form on /auth/openid_form, it POSTs to /auth/openid, but it returns 302 and redirects to /404 and logs warn: Route requested but not found: /auth/openid

    I've also tested my OpenID provider with passport-openid example from to ensure it is not in provider or my understanding of passport-openid. So it must be my misunderstanding of express and nodebb 🙂

    I'm very confused 😕 🙂

    See library.js -
    and hooks:

      "hooks": [
          "hook": "filter:auth.init", "method": "getStrategy", "callbacked": false
          "hook": "filter:server.create_routes", "method": "addOpenIDLoginRoute", "callbacked": true

    Or here is my whole source code of nodebb-plugin-openid
    (please, It's development prototype. First I'm aiming for working prototype and then I'll revise it to publish it properly)

  • @Tomáš-Simon-Klapka

    When you do finish and release it, I hope it comes bundled with every install.

  • As far as I know there is not an official plugin yet to support OpenID Connect in NodeBB.

    If anyone is still looking for a work-able OpenID Connection option, we've built one for production usage but it should work with any OpenID Connect identity provider.

    • Supports discovery using the .well-known/openid-configuration URL
    • Supports configurable email claim, defaults to email
    • Supports Logout URL
    • Optionally map roles by a named claim provided in the Userinfo endpoint response
    • Documented option to bypass the default login panel

    Feel free to open an issue if you find it is missing anything.

Suggested Topics

  • 0 Votes
    4 Posts
  • 0 Votes
    2 Posts
  • 2 Votes
    5 Posts
  • 1 Votes
    27 Posts
  • 3 Votes
    42 Posts