Authorization/Login credentials approach
Howdy!
Ok, some small updates and thoughts on this.
The basic idea I believe would be:
- User on the ext site wants to log in. They click a "Log in" button.
- A request is sent to an identity provider external to the site that requests they log in.
- The external site, after login, returns credentials showing success or failure (and other data most likely).
- Javascript on the extension site handles the return to check it and displays page elements appropriately (mod functions, admin functions, etc).
Of course, part of the problem is defining what those roles will actually do on the site, and how to handle them on the extension site correctly. For instance, what if someone logs in as an administrator and wants to delete an extension for some reason - how would that be handled?
If the extension data is in a git repo (here?) - then how does this action actually get handled and done?
It seems like the extension would have to be deleted from the repo for instance - and that is handled with a completely different auth workflow in gnome gitlab. Or would an email get sent, or some other notification emitted from the extension site to something in order to trigger this action manually? Not sure - but this needs to be thought out before any big steps can really be made.
I'm happy to help talk through this if needed - just ping me in the usual places and I'll do my best to make some time.
flowchart TD
User --> Website
subgraph Gitlab
Git[Repository]
end
subgraph statichost[Static Host]
Git --> |Deploy| Website[Website]
end
Website --> |Login| Auth["Identity Provider (Auth)"]
Auth --> |Credentials| Website
Website --> |HOW IS THIS WORKING?| Git
Discourse has the ability to allow you to use it as an identity provider: https://meta.discourse.org/t/use-discourse-as-an-identity-provider-sso-discourseconnect/32974
This setting will enable an external site to send a request to Discourse to log in. Once a user logs into that discourse instance, it will re-direct them back to a pre-determined page with a payload in the request that contains either:
-
failed=true
if they did not log in or failed logging in there (no account, etc) - a
Response
object with the following parameters:external_id: (integer) Discourse id username: (string) username/handle name: (string) user’s real name email: (string) email address avatar_url: (string) URL to the original, unscaled image as uploaded by user admin: (boolean) true if user is an Admin, otherwise false moderator: (boolean) true if user is a Moderator, otherwise false groups: (string) comma-separated list of groups (by name) to which the user belongs