Single Sign-On with Discourse


#1

How to sign-on into Mastodon from Discourse accounts?

Discourse, the software powering this board, has a very nice way of filtering users based on their participation, providing an effective anti-spam solution. It can be used as an identity server where existing users on Discourse could automagically log in to a Mastodon instance.

But at this point there seems to be no actual plugin support to do this. Did you setup such an SSO system from your Discourse instance to your Mastodon service? Do you know how to do it? Please share your information here, and let’s document it properly, from setup to troubleshooting!


#2

I don’t think it is possible (as of Release v2.2.0rc1 · tootsuite/mastodon · GitHub) to use external authentication providers for Mastodon.


#3

For what is worth, @Gargron says at Prevent registration spams · Issue #877 · tootsuite/mastodon · GitHub

Mastodon already has this feature: LDAP, CAS, SAML

https://meta.discourse.org/ throws some results when searching for LDAP, CAS or SAML and there seems to be some plugins. However, they seem to be geared toward Discourse using someone else’s authentication, not the other way around.

I am also interested in sign-on into Mastodon from Discourse accounts. It would make total sense for our project and it would (allegedly) save us some headaches with spam.


#4

Maybe Discourse can use OAuth to login using Mastodon accounts?


#5

Maybe, but it wouldn’t work in our project, where Discourse is already providing SSO to a WordPress instance.


#6

Mastodon uses a framework called Devise - maybe it can be tweaked to do what you want.


#7

I’m actually looking forward to implement it in reverse!
So my question is, can mastodon be an oauth provider to other applications?


#8

Discourse uses a custom SSO protocol in addition to OAuth2:

The normal case is authenticating all Discourse users with an external service, but it is also able to act as a provider of the custom protocol (this is a bit harder to implement, though).


#9

Yes, that’s how mobile apps like #Amaroq work.


#10

There’s omniauth-mastodon, a driver for Omniauth, which a lot of Rails apps including Devise use for authentication. That driver is used in bridge.joinmastodon.org for example. Adding it to Discourse should not be impossible, however I’m not sure how much value you can get out of it because Mastodon never exposes your real e-mail address via OAuth/API, and real e-mail address is what most “sign in with ___” functions are after.


#11

I think (username)@(instance) also looks much like an email address, if there is a way to mark the email as verified and sending all mails sent to (username)@(instance) to the (username)'s registered email address then it can be very straightforward to implement.