How to perform SSO using Discourse and Auth0?

General
1

I am using trying to perform SSO using Auth0 for wordPress and discourse from my own application. the flow is mentioned below.

Image added here (low on rep) so cant post

The user enters user name and password in the application, the details are sent to the server which authenticates the user with the auth0 API and send back the token.

I have installed auth0 SSO plugin2 from GitHub in Discourse and all the client ID, client secrets are added to the plugin.

I want to know who to perform SSO in case of Discourse when I have logged into my application.

For WordPress were are using the following method.

<form *ngIf="userService.isAuthenticated()" ngNoForm action="http://xx.xx.xx.xx/index.php?auth0=implicit&client_id=xxxxxxxxxxxxxxxxxxxxxxxxx&connection=xxxxxxxxxx"
    method="post">
    <input class="hidden" type="text" id="token" name="token" value="{{tokenValueIsHereReturnedbyAuth0Authentication}}" />
    <input class="hidden" type="text" id="redirect_to" name="redirect_to" value="http://xx.xx.xx.xx/index.html" />
    <input class="btn btn-primary pull-right" type="submit" value="View" />
</form>

So How to do similar thing in discourse?

I have tried the following

  1. Setup DiscourseConnect - Official Single-Sign-On for Discourse (sso) - Integrations - Discourse Meta

However i could not complete that as I do not know what is

https://somesite.com/sso?sso=PAYLOAD&sig=SIG

PAYLOAD and SIG is

Update:

The payload i think: what Auth0 gave me as access_token is the payload, which is encoded as Base64 (using: base64encode dot org) and SIG is a HMAC-SHA256 hash of the payload using sso_secret as the key and Base64 encoded payload (freeformatter dot com slash hmac-generator)

2

To integrate your own application with Discourse for Single Sign-On (SSO) using Auth0, you can follow these steps:

1. Understand DiscourseConnect (SSO) Requirements

Discourse supports its own SSO protocol called DiscourseConnect. For this, you need:

  • Payload: A Base64-encoded string containing specific user information.
  • Signature (sig): A HMAC-SHA256 hash of the payload, generated using a shared secret (sso_secret).

2. Set Up DiscourseConnect in Discourse

  1. Log into your Discourse admin panel.
  2. Go to Settings and search for “enable_sso.”
  3. Enable the enable_sso option.
  4. Set the sso_url to point to your backend server where you will process the SSO payload and signature.
  5. Configure the sso_secret, which will be used to verify the signature.

3. Create Your Backend Endpoint for SSO

You need to create an endpoint (e.g., /sso) in your server application to generate the payload and signature for Discourse.

Here’s a sample implementation in Python:

import base64
import hmac
import hashlib
from urllib.parse import urlencode, quote

def create_discourse_sso_payload(user_info, sso_secret):
    # Prepare the user information payload
    payload = urlencode(user_info)
    
    # Encode the payload as Base64
    encoded_payload = base64.b64encode(payload.encode()).decode()

    # Create the HMAC-SHA256 signature
    signature = hmac.new(
        sso_secret.encode(),
        encoded_payload.encode(),
        hashlib.sha256
    ).hexdigest()

    # Return the complete SSO URL
    return {
        "sso": encoded_payload,
        "sig": signature
    }

4. Generate and Send SSO Payload

You will need to send a properly formatted URL back to Discourse, like:

https://your-discourse-url.com/session/sso_login?sso=ENCODED_PAYLOAD&sig=SIGNATURE

The ENCODED_PAYLOAD is your Base64-encoded payload, and SIGNATURE is the HMAC-SHA256 hash.

Example Payload Fields:

The payload should include the following fields (at minimum):

  • external_id: A unique user ID from your system.
  • email: User’s email address.
  • username: The username to display in Discourse.

Example user_info dictionary:

user_info = {
    "external_id": "123",
    "email": "user@example.com",
    "username": "exampleuser",
    "name": "Example User",
    "admin": "true",  # Optional
    "moderator": "false"  # Optional
}

5. Testing the Integration

  1. Authenticate the user in your application using Auth0.
  2. On successful authentication, redirect the user to your server’s /sso endpoint.
  3. Generate the payload and signature.
  4. Redirect the user to Discourse’s /session/sso_login endpoint with the generated sso and sig.

6. Troubleshooting Common Issues

  • Invalid Signature Error: Ensure the sso_secret matches between your application and Discourse. Verify Base64 encoding and HMAC generation.
  • Discourse Not Logging In Users: Verify the payload fields match Discourse requirements. Check logs in Discourse for details.

If you’d like help implementing a specific part, let me know!