NodeBB Oauth SSO Plugin and Wordpress

julian

By the way, it would be very exciting to see this completed, and have a dedicated plugin that will allow an admin to add login options from as many self-hosted WordPress installs as they'd like...

raul

@Julian, thanks for replying, I know you must be super busy with 0.5 release.

Yes, I think a Wordpress plugin will be great to have for a lot of Wordpress users looking beyond the usual forums to newer and more modern options like Nodebb.

On the Wordpress side the Wordpress Oauth2 plugin does give the user data, but after specific requests to the authorize, request token and request data URLs and the Nodebb Oauth2S strategy from what I could discern does not account for a request token, only an authorize and access/ refresh token so there is obviously some mismatch happening here.

Maybe the Wordpress plugin is not sticking to the Oauth2 standards strictly.

The Discourse inbuilt SSO approach is also interesting. For instance the code for integrating Discourse with any php based website, or Wordpress for instance is a single php page. Maybe it will be worthwhile having a look when you have some time. See here for the details . Discourse SSO plugin

psychobunny

For instance the code for integrating Discourse with any php based website, or Wordpress for instance is a single php page.

I like the concept. Sounds like it wouldn't be too much work to build something like this Maybe I'll give it a shot

raul

@psychobunny cool!, that will be nice to have! Here is the Discourse page that talks about their single sign on and how it works with some examples and the SSO discourse code.

julian

I read through the article. Instead of playing nice with other websites, Discourse is instead reversing the SSO process, with a new format that must be built against their existing SSO schema.

... meaning if you wanted to enable logins via your WordPress install, and there isn't one already built, you'd have to write a WordPress plugin that consumes the Discourse SSO API.

I'm not saying this is a bad idea, I'm trying to think critically of both options (Ours vs. Discourse)...

---

Discourse SSO

Pros

• Once a WP plugin is built, it does not need to be built again

Cons

• Only one external login method is supported
  • If you wanted to allow Google Accounts and accounts from your WordPress install, this is not possible
• SSO plugins for major providers must be done from Discourse, whereas minor providers (e.g. a self-hosted WP install) must be done to Discourse. This flip-flopping is confusing.

NodeBB SSO

Pros

• Public APIs for all major sites are already built (via PassportJS), trivial to create a plugin if already supported by PassportJS (fork existing fb plugin, change parent library).
• Once a NodeBB SSO plugin is built, it does not need to be built again
• All SSO integration is done from NodeBB

Cons

• A NodeBB plugin must be built for each OAuth provider
  • ... or customised to consume an OAuth endpoint provided by something like OAuth2orize
• Establishing integration for a minor provider means work must be done at both ends (WP OAuth plugin and NodeBB plugin)

Final Thoughts

• As mentioned prior, the idea that some SSO integrations are one way, while others are in reverse is confusing, and places minor providers as second-class citizens (major providers allow login via other providers, while minor providers take over the login process completely)
• Both methods pose a significantly high barrier to entry (programming knowledge required until plugins have been created)
• Handling your own encryption and security for login is scary, and I don't pretend to know everything about it. This is why NodeBB uses bcrypt for password hashing, and depend on other providers to properly maintain login integrity.

raul

@Julian I was vaguely aware of passport, but I just had a closer look and it's seems like an great plugin to have with over 50 mainstream sites strategies already available.

I hadn't really thought about the Discourse con of only one external login but when you thinkabout it but it is a big con. Ideally you want to have multiple login options for end users so that's some thing to think about.

The Nodebb cons are also to be considered, even with passport there is still a bit to be done for each provider.

raul

Ok guys, here is my first stab at trying to get the Wordpress plugin working and I am failing miserably so far. I keep getting a 404 at Nodebb whatever I do. Frustrating.

@Julian thanks for the passport link, I was vaguely aware of it and since I am currently trying to understand SSO and have been reading the OAuth 2.0 draft it was helpful to go through all the strategies.

WIth my slighter better understanding the Google SSO plugin seems to be the closest fit to the Wordpress Oauth2 plug in.

Here is a screenshot of the token endpoint

And of the access user profile endpoint

And here is my first attempt at a custom strategy. The data is provided in json by the wordpress plugin. Only including the changed bits from the Google Oauth2 strategy. Please note the Wordpress Oauth 2 plugin does not work without the 'state=' parameter.

function Strategy(options, verify) {
options = options || {};
options.authorizationURL = options.authorizationURL || 'http://example.com/oauth/authorize?state=2020';
options.tokenURL = options.tokenURL || 'http://example.com/oauth/request_token';

OAuth2Strategy.call(this, options, verify);
this.name = 'wordpress';
}

Strategy.prototype.userProfile = function(accessToken, done) {
this._oauth2.get('http://example.com/oauth/request_access', accessToken, function (err, body, res) {
if (err) { return done(new InternalOAuthError('failed to fetch user profile', err)); }

try {
  var json = JSON.parse(body);
  
  var profile = { provider: 'wordpress' };
  profile.id = json.ID;
  profile.displayName = json.user_nicename;
  profile.name = json.user_login;
  profile.emails = [{ value: json.user_email }];
  
  profile._raw = body;
  profile._json = json;
  
  done(null, profile);
} catch(e) {
  done(e);

Tanner

Any update on a Wordpress SSO?

a_5mith

@Tanner said:

Any update on a Wordpress SSO?

Should be pretty simple to be honest. There's a passport for it. For you, I'll see what I can do.

EDIT: The passport is for Wordpress.com Damnit.

I'm going to have to install Wordpress and look through a few plugins.

Tanner

@a_5mith did you ever have a look at this?

a_5mith

@Tanner Erm... I, forgot. I'll have a quick look through some plugins now.

EDIT: Should be possible using this

Tanner

@a_5mith what about having Wordpress be the oAuth client and not the provider?

Justin P Greer

Hey Everyone,

I know this thread is a bit old but I thought I would chime in here being the developer of the WP OAuth Server plugin you mention here.

@Tanner I recently published the OAuth client plugin for WordPress. If you are still interested, you can visit https://wp-oauth.com. The plugin is a premium plugin but is very reasonable.

To everyone else, I am not familiar with the platform you are using but I do have a very good understanding of security, authentication via WordPress and core of WP OAuth Server. I am open to helping where ever I can. If anyone needs a hand, shoot me an email, reply back here or submit a support request either on at https://wp-oauth.com or the WP forums.

Looking forward to helping where I can.

julian

@Justin-P-Greer Very cool to have you here. Welcome!

Poor @raul has been waiting months for this, and I promised to help him out but I ended up getting very sidetracked by other issues with NodeBB.

As long as your WP plugin can establish a standard OAuth2 endpoint, we can probably build something against it.

Justin P Greer

The plugin uses the "oauth/authorize" and "oauth/token" for authorization. This is to spec for OAuth2. Now as far as the resource API, there is no spec given as long as the acess token is given. Current the endpoint for the user resource is "/oauth/me?access_token=xxx". The "me" endpoint is there by default and returns basic information about the user from WP user meta fields. It can be modified very easier using WP filters.

You can visit the documentation or just shoot me an email if you need anything.

jarey

I'm interested in this too. Was exactly thinking about using your wp plugin to achive the mentioned functionality. What a coincidence.

Mohit Agrawal

Try https://github.com/beingmohit/NodeBB-Wordpress-Auth