isso-comments / isso

a Disqus alternative
https://isso-comments.de
MIT License
5.06k stars 438 forks source link

Authentication using social networks #240

Open pellenilsson opened 8 years ago

pellenilsson commented 8 years ago

I'd like to add the possibility to authenticate using social networks. Primarily Facebook and Google+, but also OpenID or OAuth. In my opinion this adds a lot of value without conflicting with the fundamental principles of Isso, since all comments are still owned and controlled by the website owner.

I have made a first implementation of Facebook auth in my fork, and there is a live demo running. It adds very litte code on the server side, a bit more on the client side.

There are of course some practical matters left to sort out (like database backward compatibility, making it configurable, and Facebook AppId issues), but I first want to know if you are interested in this line of development. If you want to introduce some kind of plugin system to keep Isso core clean, I'm of course open for that too.

ivilata commented 8 years ago

I also think that OpenID support for Isso would be a really great advance, for instance to avoid spam. Nice!

graphicore commented 8 years ago

I'd love to see GitHub authentication support.

pellenilsson commented 8 years ago

I'm going to spend some time on this in August. I will at least make the fork good enough so I can use it on my own web site. I would prefer to have as much functionality as possible merged upstream, but I suspect the project owner is not interested (no comment after several months, and the contribution guidelines states "no hard-wired external services (e.g. Gravatar, Akismet)".

I've been looking at OpenID Connect support to make it possible to authenticate with any OpenID provider, as this would be the most "free" solution (no lock-in to to specific third party services). But the OpenID standards are bigger and more complicated than I had hoped. I guess that GitHub support would be a lot easier (as was Facebook and Google).

graphicore commented 8 years ago

That's cool! I'll follow this for sure. I still need to read into the code here for my evaluation. I'd contribute to your fork in case. Maybe we can come to a solution everyone is happy with.

pellenilsson commented 8 years ago

The demo is up and running again, and now has login support for Facebook, Google+, and OpenID Connect. Some very basic things I still need to add the coming weeks:

My ambition is to make the process secure in the sense that it should not be possible to post using someone else's FB account, G+ account, or OpenID identifier string. But the code definetely needs review by a security minded person. Two security considerations I can think of right now:

Oh, and OpenID login is only tested with one provider so far: simpleid. Note that the older OpenID 1.0 and 2.0 protocols are not supported, your provider must support OpenID Connect.

pellenilsson commented 8 years ago

I just noted that OpenID login doesn't work in Chromium, so that's on the todo-list as well. Please use Firefox if you want to test the whole thing.

digitalist commented 7 years ago

I suggest using https://github.com/scotch/engineauth It seems it's a question of migrating isso web-middlware into engineauth or vice-versa and mixing routes/frontend scripts here's demo: http://engineauth.scotchmedia.com/

there's a nodejs module which uses same auth strategy pattern

pellenilsson commented 6 years ago

I have now taken my fork as far as I intended to, meaning that the authentication methods I added (OpenID, Facebook and Google+) are fully configurable and plays nice with the other options of Isso. I will try running it on my own blog starting from today, so you can try it out there:

https://pantarei.xyz/posts/isso-with-social-network-integration/

Configuration instructions are on the Github page of my fork.

I would still much prefer to have this functionality incorporated into mainline Isso instead of maintaining my own fork, so please let me know if you are at all interested.

digitalist commented 6 years ago

Since it's an only option for now not involving nodejs or 3d-party services I bet there will be enough interest. Still, I'll try to install and check and bring a word to the world :-) about it

blatinier commented 6 years ago

Interested on some PR indeed

Equidamoid commented 5 years ago

@pellenilsson could you maybe try to create a PR? I just tried to merge current master to your fork, it gives quite some conflicts. And while I can figure it out for python part, js (and ".jade") is not really my thing :(

pellenilsson commented 5 years ago

@Equidamoid I believe that there is more to it than just "code conflicts". Combining this with new upstream features such as Gravatars, email notifications, and the admin interface would require some new decisions about the user interface and other questions. A small first step is to get #311 merged, then we could start that discussion.

antont commented 2 years ago

We are testing Isso with the idea that would have it as a module / complementary service, in an existing service where we already auth the users by other means.

So am just making a wish / note, that having users and auth in Isso would be nice to have cleanly separated, so that Isso is also simple to use with other auth and user info systems.

ix5 commented 2 years ago

Yes, I agree. Keeping the core lean and extensible is the right way to go.

311 has been merged and I'd like nothing more than for @pellenilsson's great contributions to find their way into upstream Isso.

@posativ made some strides in reworking the core in https://github.com/posativ/isso/pull/108 but decided to abandon the work. pg-discuss by @sprin was also a great effort that was intended to collaborate a lot with Isso.

We'll see where efforts to revive this sort of collaboration take us. I'm hopeful we can revive some of the enthusiasm now that there are more maintainers.