Authentication using social networks

[pellenilsson]

I'd like to add the possibility to authenticate using social networks. Primarily Facebook and Google+, but also OpenID or OAuth. In my opinion this adds a lot of value without conflicting with the fundamental principles of Isso, since all comments are still owned and controlled by the website owner.

I have made a first implementation of Facebook auth in my fork, and there is a live demo running. It adds very litte code on the server side, a bit more on the client side.

There are of course some practical matters left to sort out (like database backward compatibility, making it configurable, and Facebook AppId issues), but I first want to know if you are interested in this line of development. If you want to introduce some kind of plugin system to keep Isso core clean, I'm of course open for that too.

[ivilata]

I also think that OpenID support for Isso would be a really great advance, for instance to avoid spam. Nice!

[graphicore]

I'd love to see GitHub authentication support.

[pellenilsson]

I'm going to spend some time on this in August. I will at least make the fork good enough so I can use it on my own web site. I would prefer to have as much functionality as possible merged upstream, but I suspect the project owner is not interested (no comment after several months, and the contribution guidelines states "no hard-wired external services (e.g. Gravatar, Akismet)".

I've been looking at OpenID Connect support to make it possible to authenticate with any OpenID provider, as this would be the most "free" solution (no lock-in to to specific third party services). But the OpenID standards are bigger and more complicated than I had hoped. I guess that GitHub support would be a lot easier (as was Facebook and Google).

[graphicore]

That's cool! I'll follow this for sure. I still need to read into the code here for my evaluation. I'd contribute to your fork in case. Maybe we can come to a solution everyone is happy with.

[pellenilsson]

The demo is up and running again, and now has login support for Facebook, Google+, and OpenID Connect. Some very basic things I still need to add the coming weeks:

• Make it configurable (enable/disable each login method, choose your FB/G+ AppId etc.).
• Use cookies to stay logged in when reloading and navigating the site (already happens to work for Facebook only since the SDK does it for me).

My ambition is to make the process secure in the sense that it should not be possible to post using someone else's FB account, G+ account, or OpenID identifier string. But the code definetely needs review by a security minded person. Two security considerations I can think of right now:

• Isso needs to run under https, at least for OpenID login, as otherwise the session ID can be snatched by an attacker.
• Ideally, OpenID ID Token Validation should be performed. I think that it's only important when the OpenID provider uses unencrypted http.

Oh, and OpenID login is only tested with one provider so far: simpleid. Note that the older OpenID 1.0 and 2.0 protocols are not supported, your provider must support OpenID Connect.

[pellenilsson]

I just noted that OpenID login doesn't work in Chromium, so that's on the todo-list as well. Please use Firefox if you want to test the whole thing.

[digitalist]

I suggest using https://github.com/scotch/engineauth It seems it's a question of migrating isso web-middlware into engineauth or vice-versa and mixing routes/frontend scripts here's demo: http://engineauth.scotchmedia.com/

there's a nodejs module which uses same auth strategy pattern

[pellenilsson]

I have now taken my fork as far as I intended to, meaning that the authentication methods I added (OpenID, Facebook and Google+) are fully configurable and plays nice with the other options of Isso. I will try running it on my own blog starting from today, so you can try it out there:

https://pantarei.xyz/posts/isso-with-social-network-integration/

Configuration instructions are on the Github page of my fork.

I would still much prefer to have this functionality incorporated into mainline Isso instead of maintaining my own fork, so please let me know if you are at all interested.

[digitalist]

Since it's an only option for now not involving nodejs or 3d-party services I bet there will be enough interest. Still, I'll try to install and check and bring a word to the world :-) about it

[blatinier]

Interested on some PR indeed

[Equidamoid]

@pellenilsson could you maybe try to create a PR? I just tried to merge current master to your fork, it gives quite some conflicts. And while I can figure it out for python part, js (and ".jade") is not really my thing :(

[pellenilsson]

@Equidamoid I believe that there is more to it than just "code conflicts". Combining this with new upstream features such as Gravatars, email notifications, and the admin interface would require some new decisions about the user interface and other questions. A small first step is to get #311 merged, then we could start that discussion.

[antont]

We are testing Isso with the idea that would have it as a module / complementary service, in an existing service where we already auth the users by other means.

So am just making a wish / note, that having users and auth in Isso would be nice to have cleanly separated, so that Isso is also simple to use with other auth and user info systems.

[ix5]

Yes, I agree. Keeping the core lean and extensible is the right way to go.

311 has been merged and I'd like nothing more than for @pellenilsson's great contributions to find their way into upstream Isso.

@posativ made some strides in reworking the core in https://github.com/posativ/isso/pull/108 but decided to abandon the work. pg-discuss by @sprin was also a great effort that was intended to collaborate a lot with Isso.

We'll see where efforts to revive this sort of collaboration take us. I'm hopeful we can revive some of the enthusiasm now that there are more maintainers.