NodeBB Oauth SSO Plugin and Wordpress

NodeBB Plugins
  • By the way, it would be very exciting to see this completed, and have a dedicated plugin that will allow an admin to add login options from as many self-hosted WordPress installs as they'd like... 😄

  • @Julian, thanks for replying, I know you must be super busy with 0.5 release.

    Yes, I think a Wordpress plugin will be great to have for a lot of Wordpress users looking beyond the usual forums to newer and more modern options like Nodebb.

    On the Wordpress side the Wordpress Oauth2 plugin does give the user data, but after specific requests to the authorize, request token and request data URLs and the Nodebb Oauth2S strategy from what I could discern does not account for a request token, only an authorize and access/ refresh token so there is obviously some mismatch happening here.

    Maybe the Wordpress plugin is not sticking to the Oauth2 standards strictly.

    The Discourse inbuilt SSO approach is also interesting. For instance the code for integrating Discourse with any php based website, or Wordpress for instance is a single php page. Maybe it will be worthwhile having a look when you have some time. See here for the details . Discourse SSO plugin

  • For instance the code for integrating Discourse with any php based website, or Wordpress for instance is a single php page.

    I like the concept. Sounds like it wouldn't be too much work to build something like this 🙂 Maybe I'll give it a shot

  • @psychobunny cool!, that will be nice to have! Here is the Discourse page that talks about their single sign on and how it works with some examples and the SSO discourse code.

  • I read through the article. Instead of playing nice with other websites, Discourse is instead reversing the SSO process, with a new format that must be built against their existing SSO schema.

    ... meaning if you wanted to enable logins via your WordPress install, and there isn't one already built, you'd have to write a WordPress plugin that consumes the Discourse SSO API.

    I'm not saying this is a bad idea, I'm trying to think critically of both options (Ours vs. Discourse)...


    Discourse SSO

    Pros

    • Once a WP plugin is built, it does not need to be built again

    Cons

    • Only one external login method is supported
      • If you wanted to allow Google Accounts and accounts from your WordPress install, this is not possible
    • SSO plugins for major providers must be done from Discourse, whereas minor providers (e.g. a self-hosted WP install) must be done to Discourse. This flip-flopping is confusing.

    NodeBB SSO

    Pros

    • Public APIs for all major sites are already built (via PassportJS), trivial to create a plugin if already supported by PassportJS (fork existing fb plugin, change parent library).
    • Once a NodeBB SSO plugin is built, it does not need to be built again
    • All SSO integration is done from NodeBB

    Cons

    • A NodeBB plugin must be built for each OAuth provider
      • ... or customised to consume an OAuth endpoint provided by something like OAuth2orize
    • Establishing integration for a minor provider means work must be done at both ends (WP OAuth plugin and NodeBB plugin)

    Final Thoughts

    • As mentioned prior, the idea that some SSO integrations are one way, while others are in reverse is confusing, and places minor providers as second-class citizens (major providers allow login via other providers, while minor providers take over the login process completely)
    • Both methods pose a significantly high barrier to entry (programming knowledge required until plugins have been created)
    • Handling your own encryption and security for login is scary, and I don't pretend to know everything about it. This is why NodeBB uses bcrypt for password hashing, and depend on other providers to properly maintain login integrity.
  • @Julian I was vaguely aware of passport, but I just had a closer look and it's seems like an great plugin to have with over 50 mainstream sites strategies already available.

    I hadn't really thought about the Discourse con of only one external login but when you thinkabout it but it is a big con. Ideally you want to have multiple login options for end users so that's some thing to think about.

    The Nodebb cons are also to be considered, even with passport there is still a bit to be done for each provider.

  • Ok guys, here is my first stab at trying to get the Wordpress plugin working and I am failing miserably so far. I keep getting a 404 at Nodebb whatever I do. Frustrating.

    @Julian thanks for the passport link, I was vaguely aware of it and since I am currently trying to understand SSO and have been reading the OAuth 2.0 draft it was helpful to go through all the strategies.

    WIth my slighter better understanding the Google SSO plugin seems to be the closest fit to the Wordpress Oauth2 plug in.

    Here is a screenshot of the token endpointnodebb-sso.png

    And of the access user profile endpoint

    nodebb-sso2.png

    And here is my first attempt at a custom strategy. The data is provided in json by the wordpress plugin. Only including the changed bits from the Google Oauth2 strategy. Please note the Wordpress Oauth 2 plugin does not work without the 'state=' parameter.

    function Strategy(options, verify) {
    options = options || {};
    options.authorizationURL = options.authorizationURL || 'http://example.com/oauth/authorize?state=2020';
    options.tokenURL = options.tokenURL || 'http://example.com/oauth/request_token';

    OAuth2Strategy.call(this, options, verify);
    this.name = 'wordpress';
    }

    Strategy.prototype.userProfile = function(accessToken, done) {
    this._oauth2.get('http://example.com/oauth/request_access', accessToken, function (err, body, res) {
    if (err) { return done(new InternalOAuthError('failed to fetch user profile', err)); }

    try {
      var json = JSON.parse(body);
      
      var profile = { provider: 'wordpress' };
      profile.id = json.ID;
      profile.displayName = json.user_nicename;
      profile.name = json.user_login;
      profile.emails = [{ value: json.user_email }];
      
      profile._raw = body;
      profile._json = json;
      
      done(null, profile);
    } catch(e) {
      done(e);
    
  • Any update on a Wordpress SSO?

  • @Tanner said:

    Any update on a Wordpress SSO?

    Should be pretty simple to be honest. There's a passport for it. For you, I'll see what I can do. 👍

    EDIT: The passport is for Wordpress.com 😆 Damnit.

    I'm going to have to install Wordpress and look through a few plugins.

  • @a_5mith did you ever have a look at this? 🙂

  • @Tanner Erm... I, forgot. 😢 I'll have a quick look through some plugins now.

    EDIT: Should be possible using this

  • @a_5mith what about having Wordpress be the oAuth client and not the provider?

  • Hey Everyone,

    I know this thread is a bit old but I thought I would chime in here being the developer of the WP OAuth Server plugin you mention here.

    @Tanner I recently published the OAuth client plugin for WordPress. If you are still interested, you can visit https://wp-oauth.com. The plugin is a premium plugin but is very reasonable.

    To everyone else, I am not familiar with the platform you are using but I do have a very good understanding of security, authentication via WordPress and core of WP OAuth Server. I am open to helping where ever I can. If anyone needs a hand, shoot me an email, reply back here or submit a support request either on at https://wp-oauth.com or the WP forums.

    Looking forward to helping where I can.

  • @Justin-P-Greer Very cool to have you here. Welcome! 😄

    Poor @raul has been waiting months for this, and I promised to help him out but I ended up getting very sidetracked by other issues with NodeBB.

    As long as your WP plugin can establish a standard OAuth2 endpoint, we can probably build something against it.

  • The plugin uses the "oauth/authorize" and "oauth/token" for authorization. This is to spec for OAuth2. Now as far as the resource API, there is no spec given as long as the acess token is given. Current the endpoint for the user resource is "/oauth/me?access_token=xxx". The "me" endpoint is there by default and returns basic information about the user from WP user meta fields. It can be modified very easier using WP filters.

    You can visit the documentation or just shoot me an email if you need anything.

  • I'm interested in this too. Was exactly thinking about using your wp plugin to achive the mentioned functionality. What a coincidence.


Suggested Topics


  • 0 Votes
    1 Posts
    892 Views

    [nodebb-plugin-write-api]
    https://github.com/NodeBB/nodebb-plugin-write-api
    I would like to POST (send) some form data to a webserver using cURL on a terminal-prompt.

    This is what I got so far:

    curl -X POST -H "Content-Type: application/x-www-form-urlencoded; charset=utf-8" -H "Authorization: Bearer 7ae9463c-146d-440d-b729-890c73bb9d46" --data "title=I Love You" --data "content=我真的不爱你" --data "cid=1" http://localhost:4567/api/v2/topics
    pause

    The problem is that the chinese word ("我真的不爱你") are replaced by "����IJ�����" when I browse the website page.

  • 0 Votes
    2 Posts
    937 Views

    Re: [nodebb-plugin-gallery] Lightbox Gallery Plugin

    It seems the plugin is not working for me.
    So when creating new topic/reply and I click "picture" in the composer, the image will not open in a lightbox.. I need to go back and forth to see another image
    And if by "upload image", the image will open in a lightbox, but at first it will open in a new tab.

    I install the plugin via ACP.

    Thanks

  • 0 Votes
    6 Posts
    2k Views

    @pitaj Something to note is that if the plugin has already been required, subsequent requires will still have module.parent pointing to the first module that required it.

    So... when NodeBB starts and it requires plugin-foobar, its module.parent is plugins.js

    Later, if plugin-barbaz requires plugin-foobar, its module.parent stays as plugins.js.

    So if you only require the module after NodeBB is done with it (e.g. defer requiring until it is actually required), you might be ok.

  • 0 Votes
    11 Posts
    6k Views

    I have upgraded to mongodb 2.6.4, I have run the following command to upgrade the mongodb to v5

    mongos --configdb 127.0.0.1:27017 --upgrade

    with no error, I have clicked on reindex the database. when I search I get the following stuff in the cli

    MongoError: Unable to execute query: error processing query: ns=0.search limit=50 skip=0 Tree: $and key == "topic" TEXT : query=cool, language=, tag=NULL Sort: {} Proj: {} planner returned error: need exactly one text index for $text query at Object.toError (/nodebb/node_modules/mongodb/lib/mongodb/utils.js:114:11) at /nodebb/node_modules/mongodb/lib/mongodb/cursor.js:700:54 at Cursor.close (/nodebb/node_modules/mongodb/lib/mongodb/cursor.js:983:5) at commandHandler (/nodebb/node_modules/mongodb/lib/mongodb/cursor.js:700:21) at /nodebb/node_modules/mongodb/lib/mongodb/db.js:1847:9 at Server.Base._callHandler (/nodebb/node_modules/mongodb/lib/mongodb/connection/base.js:445:41) at /nodebb/node_modules/mongodb/lib/mongodb/connection/server.js:478:18 at MongoReply.parseBody (/nodebb/node_modules/mongodb/lib/mongodb/responses/mongo_reply.js:68:5) at null.<anonymous> (/nodebb/node_modules/mongodb/lib/mongodb/connection/server.js:436:20) at EventEmitter.emit (events.js:95:17)
  • 0 Votes
    2 Posts
    1k Views