Single Sign-On with Discourse

How to sign-on into Mastodon from Discourse accounts?

Discourse, the software powering this board, has a very nice way of filtering users based on their participation, providing an effective anti-spam solution. It can be used as an identity server where existing users on Discourse could automagically log in to a Mastodon instance.

But at this point there seems to be no actual plugin support to do this. Did you setup such an SSO system from your Discourse instance to your Mastodon service? Do you know how to do it? Please share your information here, and let’s document it properly, from setup to troubleshooting!

1 Like

I don’t think it is possible (as of Release v2.2.0rc1 · tootsuite/mastodon · GitHub) to use external authentication providers for Mastodon.

For what is worth, @Gargron says at Prevent registration spams · Issue #877 · tootsuite/mastodon · GitHub

Mastodon already has this feature: LDAP, CAS, SAML

https://meta.discourse.org/ throws some results when searching for LDAP, CAS or SAML and there seems to be some plugins. However, they seem to be geared toward Discourse using someone else’s authentication, not the other way around.

I am also interested in sign-on into Mastodon from Discourse accounts. It would make total sense for our project and it would (allegedly) save us some headaches with spam.

1 Like

Maybe Discourse can use OAuth to login using Mastodon accounts?

1 Like

Maybe, but it wouldn’t work in our project, where Discourse is already providing SSO to a WordPress instance.

Mastodon uses a framework called Devise - maybe it can be tweaked to do what you want.

I’m actually looking forward to implement it in reverse!
So my question is, can mastodon be an oauth provider to other applications?

Discourse uses a custom SSO protocol in addition to OAuth2:

The normal case is authenticating all Discourse users with an external service, but it is also able to act as a provider of the custom protocol (this is a bit harder to implement, though).

1 Like

Yes, that’s how mobile apps like #Amaroq work.

1 Like

There’s omniauth-mastodon, a driver for Omniauth, which a lot of Rails apps including Devise use for authentication. That driver is used in bridge.joinmastodon.org for example. Adding it to Discourse should not be impossible, however I’m not sure how much value you can get out of it because Mastodon never exposes your real e-mail address via OAuth/API, and real e-mail address is what most “sign in with ___” functions are after.

2 Likes

I think (username)@(instance) also looks much like an email address, if there is a way to mark the email as verified and sending all mails sent to (username)@(instance) to the (username)'s registered email address then it can be very straightforward to implement.

2 Likes

bump!

I still wonder how hard would be to implement Discourse SSO for Mastodon.

Our use case:

We have https://la.confederac.io (Discourse) and https://red.confederac.io (Mastodon) as separate services in separate servers with separate user lists. We would like to integrate account creation, so that only our Discourse users can get a Mastodon account in our instance.

No strong opinion about existing Mastodon users, although an ideal scenario would be that Discourse SSO would be enforced as they log in (because they logged out, sessions expiring…)

I asked Angus McLeod, a Discourse developer. His answer comes to say that, for Discourse SSO to work, we would need changes in Mastodon’s code base, unless a plugin interface is on its way (full answer below).

If this feature is considered interesting by others (including the Mastodon maintainers), we could work with a developer and organize a casual crowdfunding among the members of our project and other Mastodon/Discourse projects interested.

Angus’ reply:

After doing an initial review of Mastodon, my thinking is that this is doable, but it won’t be simple. Here are the relevant aspects to this.

Using Discourse SSO

Discourse can act as an SSO provider. For this to work, the 3rd party app, i.e. the app Discourse is providing authentication for, needs to support Discourse’s SSO implementation. There are some examples of this here:

Using Discourse as a SSO provider - developers - Discourse Meta

So Mastodon itself would have to be modified for this to work. As far as I’m aware, Mastodon does not have a plugin system like Discourse, meaning any modification would have to be made to Mastodon itself.

Using OAuth

The other way of handling authentication between two services is by implementing an ‘exclusive’ OAuth. Mastodon seems to have support for authentication via OAuth, however I can’t find any documentation on it.

Discourse cannot act as an OAuth provider at the moment (i.e. a "sign in with "), however it should be possible to use an independent authentication service as an intermediary between the two, e.g. Auth0 or Okta. The authentication service would be the OAuth provider to both Discourse and Mastodon.

The most feasible move is probably using an independent authentication service, however it would be a fair bit of work:

  1. Setting up the autentication service to work with your current Discourse, including migrating existing user accounts
  2. Setting up the authentication service to work with Mastodon (assuming this is possible).
1 Like

Maybe poking around the Devise initialization code can bring some solution?