A more standardised SSO implementation

julian

You know what they say about standards...

Very soon after NodeBB started, we built in support for some of the major SSO providers through plugins like nodebb-plugin-sso-facebook and nodebb-plugin-sso-google.

For all other SSO providers, the ecosystem grew over time with the addition of other NodeBB plugins like nodebb-plugin-oidc-connect or various other bespoke implementations.

Outside of those, our recommendation was to fork out the sso-oauth plugin and make your own changes. I ended up making this template repository because each individual SSO implementation, despite being some variant of OAuth2, had its own intricacies that made it impossible to create a single plugin to cover all cases.

Since then...

A number of things have changed in the past ten years, namely the rise of hosted CRM services with built-in SSO/IAM components, the solidification of OpenID as the de facto standard for SSO, and the decline of OAuth in favour of OAuth2.

We've reached a point where it is safe to assume that a user attempting to implement an SSO bridge with NodeBB would be:

Using OAuth2.
Not rolling out their own OAuth2 compatible provider, but instead using a hosted service or common library

... and to that end, we're able to build a plugin that encompasses most of the common configuration cases.

https://github.com/NodeBB/nodebb-plugin-sso-oauth2-multiple/

From within this plugin, you are able to configure the details for each OAuth2 provider:

A screenshot displaying the configuration options for editing an OAuth2 strategy

If your OAuth2 provider supports the .well-known configuration route, you can simply populate the "domain" field and some of the remaining fields will be automatically filled out.

Due to an additional client ask, this plugin has even been updated so that you are able to add multiple OAuth2 providers, should you want to!

Testing

This plugin has been tested against both Auth0 and Okta.

julian

plugins like nodebb-plugin-oidc-connect

If "oidc" means "OpenID Connect", then does "oidc-connect" mean "OpenID Connect connect"?

julian

Re: testing — this plugin was not tested against Keycloak as I did not have a reference implementation to test against, but it should theoretically work. Please open an issue if you run into trouble with a Keycloak provider.

julian

Lastly, keep in mind that sso-oauth is not deprecated, and will still be maintained. It's still a reference implementation for OAuth2 providers that follow the standard loosely. Also it happens to be the only OAuth 1 reference implementation.

ufan0

Great work!

ufan0

This post is deleted!

traarrr

Hi all, how can we make this plugin compatible with SAML 2.0 configuration of SSO
@julian

Brutus5000

This post is deleted!

julian

@Brutus5000 thanks for submitting the PRs! Haven't had time to review yet, but will try to tomorrow.

Jupiter Rowland

That's good. Hubzilla already has server-side and client-side OAuth2 support, so maybe this may come in handy.