头图

What is Authing?

Authing is the first developer-centric full-scenario identity cloud product in China. It integrates all mainstream identity authentication protocols to provide enterprises and developers with comprehensive and secure user authentication and access management services.

With "API First" as the cornerstone of the product, all common functions in the identity field are modularized and packaged, and all capabilities are provided to developers as APIs through the full-scene programming language SDK. At the same time, users can flexibly use Authing's open RESTful APIs to expand functions to meet the identity management needs of different enterprises in different business scenarios.

Traditional system SSO single sign-on transformation

First, the user system of the original system needs to be transformed so that it can adapt to common user authentication standard protocols (such as OAuth). If the system is large, it is even necessary to consider extracting the user system in the original business and make it a user center for single sign-on. A series of complex development, operation and maintenance operations such as design, coding, testing, upgrading, and expansion are required to achieve this.

This method is time-consuming, energy-consuming, cost-consuming, and high-risk (it needs to constantly step on the pit outside the business field).

Authing SSO integration

If your application is developed based on the identity system provided by Authing, congratulations, you can easily complete the integration of single sign-on in a few steps with less code (or configuration).

This method is low-cost, does not require additional design and development, and uses standard protocols to easily get through.

Discourse installation

References:

It is recommended to fork the Discourse Docker warehouse, and perform development and debugging locally to confirm that it is correct before installing the product environment. The following are simple installation steps and FAQs for common problems in configuration.

Note: Please install it on a Linux server or macOS (Windows needs to explore it by yourself).

Pull the Discourse Docker repository

git clone https://github.com/discourse/discourse_docker.git /var/discourse
cd /var/discourse

Using an automated configuration script:

./discourse-setup

For non- root users, you need to add sudo to the front to run. Enter the configuration items step by step according to the prompts to complete the installation configuration. The default configuration will most likely not work when running locally.

Open the containers/app.yml configuration file for configuration adjustment. If you configure it manually, you can also execute:

cp samples/standalone.yml containers/app.yml

Copy a sample template to get started.

Application configuration

Before starting the configuration, make sure that the domain name has been bound to the server (the A record in DNS is bound), or modify the /etc/hosts file locally (do not use example.com or need to force the domain name suffix of https for local development and debugging, such as: .app , .dev etc.).

Environment variable setting reference:

env:
  LC_ALL: en_US.UTF-8
  LANG: en_US.UTF-8
  LANGUAGE: en_US.UTF-8
  EMBER_CLI_PROD_ASSETS: 1
  # DISCOURSE_DEFAULT_LOCALE: en

  ## How many concurrent web requests are supported? Depends on memory and CPU cores.
  ## will be set automatically by bootstrap based on detected CPUs, or you can override
  #UNICORN_WORKERS: 3

  ## TODO: The domain name this Discourse instance will respond to
  ## Required. Discourse will not work with a bare IP number.
  DISCOURSE_HOSTNAME: 'discourse.local'

  ## Uncomment if you want the container to be started with the same
  ## hostname (-h option) as specified above (default "$hostname-$config")
  # DOCKER_USE_HOSTNAME: true

  ## TODO: List of comma delimited emails that will be made admin and developer
  ## on initial signup example 'user1@example.com,user2@example.com'
  DISCOURSE_DEVELOPER_EMAILS: 'willin@willin.org'

  ## TODO: The SMTP mail server used to validate new accounts and send notifications
  # SMTP ADDRESS, username, and password are required
  # WARNING the char '#' in SMTP password can cause problems!
  DISCOURSE_SMTP_ADDRESS: smtp.mail.qq.com
  DISCOURSE_SMTP_PORT: 25
  DISCOURSE_SMTP_USER_NAME: willin@willin.org
  DISCOURSE_SMTP_PASSWORD: "password"
  DISCOURSE_SMTP_ENABLE_START_TLS: fales       # (optional, default true)
  DISCOURSE_SMTP_AUTHENTICATION: plain
  DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none

  DISCOURSE_NOTIFICATION_EMAIL: willin@willin.org

  ## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
  #LETSENCRYPT_ACCOUNT_EMAIL: me@example.com
  ## The http or https CDN address for this Discourse instance (configured to pull)
  ## see https://meta.discourse.org/t/14857 for details
  #DISCOURSE_CDN_URL: https://discourse-cdn.example.com
  ## The maxmind geolocation IP address key for IP address lookup
  ## see https://meta.discourse.org/t/-/137387/23 for details
  #DISCOURSE_MAXMIND_LICENSE_KEY: 1234567890123456

Brief description:

  • UNICORN_WORKERS : Determine the number of workers according to the number of CPUs or manually configure
  • DISCOURSE_HOSTNAME : Configure the domain name correctly
  • DISCOURSE_SMTP_XXX : Configure the SMTP mail sending service correctly, otherwise the verification code and notification email will not be received

Plugin configuration:

## Plugins go here
## see https://meta.discourse.org/t/19157 for details
hooks:
  after_code:
    - exec:
        cd: $home/plugins
        cmd:
          - git clone https://github.com/discourse/docker_manager.git
          - git clone https://github.com/discourse/discourse-oauth2-basic.git
          - git clone https://github.com/angelim/discourse_user_auto_activation.git

The role of these three plugins:

  • Docker management, comes with default
  • OAuth 2 integration for single sign-on with Authing SSO connection
  • Automatic activation (mailbox) plugin, optional

Start the forum service

Reminder: configure the SSL certificate before starting the service (refer to FAQ SSL certificate configuration, or use Let's Encrypt to issue a certificate).

After the configuration is complete, create an image:

./launcher bootstrap app
./launcher start app

If it has been initialized, it can be re-imaged by:

./launcher rebuild app

The process is long, be patient. Below is a compilation of some of the problems and tips I encountered during debugging.

FAQ

Domain name configuration

The main modification template:

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
  - "templates/web.ssl.template.yml"
  #- "templates/web.letsencrypt.ssl.template.yml"
  • If SSL support is required, "templates/web.ssl.template.yml" needs to be imported.
  • If you need free domain name certificate update, "templates/web.letsencrypt.ssl.template.yml" needs to be imported.

At the same time, open the port as needed:

## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
  - "80:80"   # http
  - "443:443" # https

SSL certificate configuration

First make sure that the file directory mapping is correct:

## The Docker container is stateless; all data is stored in /shared
volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared
  - volume:
      host: /var/discourse/log/var-log
      guest: /var/log

Similar to this directory mapping, place the certificate file in the corresponding ssl directory and check whether the two file paths are correct:

/var/discourse/shared/standalone/ssl/ssl.crt
/var/discourse/shared/standalone/ssl/ssl.key

Reference for self-signed certificate:

openssl genrsa -aes256 -passout pass:gsahdg -out ssl.pass.key 4096
openssl rsa -passin pass:gsahdg -in ssl.pass.key -out ssl.key  
openssl req -new -key ssl.key -out ssl.csr             

# You are about to be asked to enter information that will be incorporated
# into your certificate request.
# What you are about to enter is what is called a Distinguished Name or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) []:CN
# State or Province Name (full name) []:Jiangsu
# Locality Name (eg, city) []:Nanjing
# Organization Name (eg, company) []:Xibang Tech
# Organizational Unit Name (eg, section) []:
# Common Name (eg, fully qualified host name) []:discourse.local
# Email Address []:willin@willin.org

# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:      
openssl x509 -req -sha256 -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt

The self-signed certificate needs to be trusted. Under macOS, double-click to open the .crt file, select Trust Always Trust, and you need to enter the password twice during the process.

Disable SSL

This step is not necessary. If you are too lazy to configure the SSL local self-signed certificate (such as me), you can test out the original configuration and comment out the SSL part.

# 先将配置从镜像拷贝出来
docker cp app:/etc/nginx/conf.d/discourse.conf ./discourse.conf
# 修改配置后执行
docker cp ./discourse.conf app:/etc/nginx/conf.d/discourse.conf 
docker exec app nginx -s reload

The main modified part is to jump the https request back to http:

# attempt to preserve the proto, must be in http context
map $http_x_forwarded_proto $thescheme {
  default $scheme;
  https http;
}

Tombstone that jumps 80 to 443:

server {
  listen 80;
  # 将跳转的部分删除,并与 listen 443 的 `server` 合并
}

Build or launch failed

Reason for failure: git clone error occurs after executing the 061e23fca2155f command, which occurs when the domestic server pulls the mirror. You can import the Github repository on Code Cloud or other domestic Git service providers, and then use the domestic mirror address.

Failure reason: The domain name cannot be accessed. Check the configuration or local HOSTS to see if the domain name has been bound.

Reason for failure: The startup is successful but cannot be accessed. Generally, it only appears during local debugging. Although the domain name can be started at will, pay attention to the rules (for example, if the SSL certificate is not configured, the nginx-error log will be there, such as the .dev domain name, which I use when testing locally. Self-signed SSL certificate is always inaccessible but nginx-access log shows normal).

Visit the forum and perform initial configuration

Visit localhost or the domain name you configured, register an administrator user and perform initial configuration.

在这里插入图片描述

After re-entering through the email verification link, start initializing the configuration. After 11 steps are set, enter the management background - settings.

Select [Login] on the left sidebar

在这里插入图片描述

Turn off local login (recommended to be on the safe side, it can also be turned off after the single sign-on configuration is complete).

Go to plugin settings:

在这里插入图片描述

After clicking Settings, stay on the current configuration page (continue to set up later). Open the Authing console in a new window.

Authing SSO single sign-on integration

Discourse in the Single Sign-On SSO Marketplace. Click Get App to enter the configuration.

在这里插入图片描述

The first step is to fill in the forum name, and the second step is to configure the login.

在这里插入图片描述

You only need to fill in a Redirect URI (note that http / https is differentiated here, if it is wrong, redirect_uri_mismatch error of 061e23fca2175b will be reported), and other configuration items should be copied and filled into the Discourse plugin configuration. Example: http://discourse.local/auth/oauth2_basic/callback (replace your domain name, keep the same path behind).

在这里插入图片描述

In addition, the items that need to be configured are:

  • oauth2 json user id path : fill in sub
  • oauth2 json username path : Fill in nickname or username
  • oauth2 json name path : Fill in name
  • oauth2 json email path : Fill in email
  • oauth2 json email verified path : Fill in email_verified
  • oauth2 json avatar path : Fill in picture
  • oauth2 send auth header Send client credentials in HTTP Authorization header: unchecked

Save the plugin configuration.

在这里插入图片描述

After saving the access authorization, you can test it in a new privacy window.

在这里插入图片描述

Automatically bring Authing user information to the forum. Test success.

At the same time, the administrator account (the email address is the same as that of the Authing user) can be seamlessly connected to the Authing SSO single sign-on method.

So far, you're done.

extend

Through Authing SSO, you can also access in a codeless way:

  • Collaboration tools: such as ZenTao, ProcessOn, Graphite Documents, Notion, Tower, Teambition, Feishu, Confluence, etc.
  • Cloud computing resources: such as Alibaba Cloud, Tencent Cloud, AWS, Baidu Smart Cloud, Kingsoft Cloud, Huawei Cloud, etc.
  • Developer tools: such as Gitlab, Jira, Coding.net, Bitbucket, Jenkins, etc.
  • (Currently available in the app store) A total of 120 services/platforms/software

At the same time, it can also access various systems and software in the form of low code/zero code. Currently, the protocols supported by self-built applications are:

  • OAuth 2.0
  • SAML 2
  • CAS

Using Authing SSO, it's easy to integrate single sign-on for NodeBB forums, Wordpress sites, and more.


willin
213 声望12 粉丝

欢迎在各平台 Follow 我。