I still wonder how hard would be to implement Discourse SSO for Mastodon.
Our use case:
We have https://la.confederac.io (Discourse) and https://red.confederac.io (Mastodon) as separate services in separate servers with separate user lists. We would like to integrate account creation, so that only our Discourse users can get a Mastodon account in our instance.
No strong opinion about existing Mastodon users, although an ideal scenario would be that Discourse SSO would be enforced as they log in (because they logged out, sessions expiring…)
I asked Angus McLeod, a Discourse developer. His answer comes to say that, for Discourse SSO to work, we would need changes in Mastodon’s code base, unless a plugin interface is on its way (full answer below).
If this feature is considered interesting by others (including the Mastodon maintainers), we could work with a developer and organize a casual crowdfunding among the members of our project and other Mastodon/Discourse projects interested.
After doing an initial review of Mastodon, my thinking is that this is doable, but it won’t be simple. Here are the relevant aspects to this.
Using Discourse SSO
Discourse can act as an SSO provider. For this to work, the 3rd party app, i.e. the app Discourse is providing authentication for, needs to support Discourse’s SSO implementation. There are some examples of this here:
Using Discourse as a SSO provider - developers - Discourse Meta
So Mastodon itself would have to be modified for this to work. As far as I’m aware, Mastodon does not have a plugin system like Discourse, meaning any modification would have to be made to Mastodon itself.
The other way of handling authentication between two services is by implementing an ‘exclusive’ OAuth. Mastodon seems to have support for authentication via OAuth, however I can’t find any documentation on it.
Discourse cannot act as an OAuth provider at the moment (i.e. a "sign in with "), however it should be possible to use an independent authentication service as an intermediary between the two, e.g. Auth0 or Okta. The authentication service would be the OAuth provider to both Discourse and Mastodon.
The most feasible move is probably using an independent authentication service, however it would be a fair bit of work:
- Setting up the autentication service to work with your current Discourse, including migrating existing user accounts
- Setting up the authentication service to work with Mastodon (assuming this is possible).