FEATURE: Add probe-only functionality to SSO Provider protocol #22393
Conversation
mdoggydog
force-pushed
the
maddog-sso-provider-probe-only
branch
from
517029b
to
81249c3
Compare
|
This pull request has been mentioned on Discourse Meta. There might be relevant details there: https://meta.discourse.org/t/discourse-development-contributor-guidelines/3823/109 |
|
I'm not sure if we want to have this feature in core, but the code seems to be okay. And the feature seems simple enough. But since this concerns auth, lets get more eyes on it. @OsamaSayegh Can you have a look as well? If we merge this, @mdoggydog would you be so kind and update the documentation at https://meta.discourse.org/t/use-discourse-as-an-identity-provider-sso-discourseconnect/32974? |
Sure, I would be happy to do that. Thanks for getting this PR moving. (I am still curious about whether or not failed checks interfere with the review process, and if there is a way to trigger a recheck. 🤔 ) |
No, it doesn't affect the review process. Sometimes reviews take time, especially when many team members are on vacation. |
|
Hi, @OsamaSayegh, any feedback on this PR? |
|
I think the functionality here is reasonable, but I'm not sure about the the naming of 'probe'. It doesn't really explain what's happening at first glance. The OpenIDConnect specification uses
How about we do the same? So we replace |
I like it; and, it makes it clear how to extend the API to handle the "require user to reauth even if they are already logged in" case if/when somebody needs it. Where should the reject-other-values occur? I can see three places that seem reasonable:
Each of these already raises one or more errors in response to the contents of the SSO request, so it is not clear to me which is the "right" place for this check. (Probably not (3), but that still leaves (1) or (2).) Also, what kind of error should be raised?
Funny... the "reject-other-values" is the most difficult part of this exercise... |
mdoggydog
force-pushed
the
maddog-sso-provider-probe-only
branch
from
81249c3
to
85f9f2a
Compare
|
Ok, I have pushed a revised PR that features the I await some guidance/opinions on that. |
|
Thanks @mdoggydog. I think let's put the rejection as early as possible, which looks like And then I think let's match how |
mdoggydog
force-pushed
the
maddog-sso-provider-probe-only
branch
from
85f9f2a
to
34faa71
Compare
|
This should take care of it. The rejection/validation is performed in |
This commit adds support for an optional `prompt` parameter in the payload of the /session/sso_provider endpoint. If an SSO Consumer adds a `prompt=none` parameter to the encoded/signed `sso` payload, then Discourse will avoid trying to login a not-logged-in user: * If the user is already logged in, Discourse will immediately redirect back to the Consumer with the user's credentials in a signed payload, as usual. * If the user is not logged in, Discourse will immediately redirect back to the Consumer with a signed payload bearing the parameter `failed=true`. This allows the SSO Consumer to simply test whether or not a user is logged in, without forcing the user to try to log in. This is useful when the SSO Consumer allows both anonymous and authenticated access. (E.g., users that are already logged-in to Discourse can be seamlessly logged-in to the Consumer site, and anonymous users can remain anonymous until they explicitly ask to log in.) This feature is similar to the `prompt=none` functionality in an OpenID Connect Authentication Request; see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
mdoggydog
force-pushed
the
maddog-sso-provider-probe-only
branch
from
34faa71
to
6a568e2
Compare
|
Argh... I somehow missed some linting nits before the last push. Pushed again. (I am not a fan of postfix |
|
Pinging @OsamaSayegh @davidtaylorhq @gschlager ... Anyone around to review this? |
|
This pull request has been mentioned on Discourse Meta. There might be relevant details there: https://meta.discourse.org/t/use-discourse-as-an-identity-provider-sso-discourseconnect/32974/141 |
There was a problem hiding this comment.
Sorry for the very long delay! This looks great - thanks for the contribution @mdoggydog 🙏
This commit adds support for an optional "probe" parameter in the payload of the /session/sso_provider endpoint. If an SSO Consumer adds a "probe=true" parameter to the encoded/signed "sso" payload, then Discourse will avoid trying to login a not-logged-in user:
If the user is already logged in, Discourse will immediately redirect back to the Consumer with the user's credentials in a signed payload, as usual.
If the user is not logged in, Discourse will immediately redirect back to the Consumer with a signed payload bearing the parameter "failed=true".
This allows the SSO Consumer to simply test whether or not a user is logged in, without forcing the user to try to log in. This is useful when the SSO Consumer allows both anonymous and authenticated access. (E.g., users that are already logged-in to Discourse can be seamlessly logged-in to the Consumer site, and anonymous users can remain anonymous until they explicitly ask to log in.)