What is Authing?
Authing is the first developer-centric full-scenario identity cloud product in China. It integrates all mainstream identity authentication protocols to provide enterprises and developers with comprehensive and secure user authentication and access management services.
With "API First" as the cornerstone of the product, all common functions in the identity field are modularized and packaged, and all capabilities are provided to developers as APIs through the full-scene programming language SDK. At the same time, users can flexibly use Authing's open RESTful APIs to expand functions to meet the identity management needs of different enterprises in different business scenarios.
Traditional system SSO single sign-on transformation
First, the user system of the original system needs to be transformed so that it can adapt to common user authentication standard protocols (such as OAuth). If the system is large, it is even necessary to consider extracting the user system in the original business and make it a user center for single sign-on. A series of complex development, operation and maintenance operations such as design, coding, testing, upgrading, and expansion are required to achieve this.
This method is time-consuming, energy-consuming, cost-consuming, and high-risk (it needs to constantly step on the pit outside the business field).
Authing SSO integration
If your application is developed based on the identity system provided by Authing, congratulations, you can easily complete the integration of single sign-on in a few steps with less code (or configuration).
This method is low-cost, does not require additional design and development, and uses standard protocols to easily get through.
Discourse installation
References:
- Discourse official Docker repository: https://github.com/discourse/discourse_docker
- Installation guide document: https://github.com/discourse/discourse/blob/main/docs/INSTALL-cloud.md
It is recommended to fork the Discourse Docker warehouse, and perform development and debugging locally to confirm that it is correct before installing the product environment. The following are simple installation steps and FAQs for common problems in configuration.
Note: Please install it on a Linux server or macOS (Windows needs to explore it by yourself).
Pull the Discourse Docker repository
git clone https://github.com/discourse/discourse_docker.git /var/discourse
cd /var/discourse
Using an automated configuration script:
./discourse-setup
For non- root
users, you need to add sudo
to the front to run. Enter the configuration items step by step according to the prompts to complete the installation configuration. The default configuration will most likely not work when running locally.
Open the containers/app.yml
configuration file for configuration adjustment. If you configure it manually, you can also execute:
cp samples/standalone.yml containers/app.yml
Copy a sample template to get started.
Application configuration
Before starting the configuration, make sure that the domain name has been bound to the server (the A record in DNS is bound), or modify the /etc/hosts
file locally (do not use example.com or need to force the domain name suffix of https for local development and debugging, such as: .app
, .dev
etc.).
Environment variable setting reference:
env:
LC_ALL: en_US.UTF-8
LANG: en_US.UTF-8
LANGUAGE: en_US.UTF-8
EMBER_CLI_PROD_ASSETS: 1
# DISCOURSE_DEFAULT_LOCALE: en
## How many concurrent web requests are supported? Depends on memory and CPU cores.
## will be set automatically by bootstrap based on detected CPUs, or you can override
#UNICORN_WORKERS: 3
## TODO: The domain name this Discourse instance will respond to
## Required. Discourse will not work with a bare IP number.
DISCOURSE_HOSTNAME: 'discourse.local'
## Uncomment if you want the container to be started with the same
## hostname (-h option) as specified above (default "$hostname-$config")
# DOCKER_USE_HOSTNAME: true
## TODO: List of comma delimited emails that will be made admin and developer
## on initial signup example 'user1@example.com,user2@example.com'
DISCOURSE_DEVELOPER_EMAILS: 'willin@willin.org'
## TODO: The SMTP mail server used to validate new accounts and send notifications
# SMTP ADDRESS, username, and password are required
# WARNING the char '#' in SMTP password can cause problems!
DISCOURSE_SMTP_ADDRESS: smtp.mail.qq.com
DISCOURSE_SMTP_PORT: 25
DISCOURSE_SMTP_USER_NAME: willin@willin.org
DISCOURSE_SMTP_PASSWORD: "password"
DISCOURSE_SMTP_ENABLE_START_TLS: fales # (optional, default true)
DISCOURSE_SMTP_AUTHENTICATION: plain
DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none
DISCOURSE_NOTIFICATION_EMAIL: willin@willin.org
## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
#LETSENCRYPT_ACCOUNT_EMAIL: me@example.com
## The http or https CDN address for this Discourse instance (configured to pull)
## see https://meta.discourse.org/t/14857 for details
#DISCOURSE_CDN_URL: https://discourse-cdn.example.com
## The maxmind geolocation IP address key for IP address lookup
## see https://meta.discourse.org/t/-/137387/23 for details
#DISCOURSE_MAXMIND_LICENSE_KEY: 1234567890123456
Brief description:
UNICORN_WORKERS
: Determine the number of workers according to the number of CPUs or manually configureDISCOURSE_HOSTNAME
: Configure the domain name correctlyDISCOURSE_SMTP_XXX
: Configure the SMTP mail sending service correctly, otherwise the verification code and notification email will not be received
Plugin configuration:
## Plugins go here
## see https://meta.discourse.org/t/19157 for details
hooks:
after_code:
- exec:
cd: $home/plugins
cmd:
- git clone https://github.com/discourse/docker_manager.git
- git clone https://github.com/discourse/discourse-oauth2-basic.git
- git clone https://github.com/angelim/discourse_user_auto_activation.git
The role of these three plugins:
- Docker management, comes with default
- OAuth 2 integration for single sign-on with Authing SSO connection
- Automatic activation (mailbox) plugin, optional
Start the forum service
Reminder: configure the SSL certificate before starting the service (refer to FAQ SSL certificate configuration, or use Let's Encrypt to issue a certificate).
After the configuration is complete, create an image:
./launcher bootstrap app
./launcher start app
If it has been initialized, it can be re-imaged by:
./launcher rebuild app
The process is long, be patient. Below is a compilation of some of the problems and tips I encountered during debugging.
FAQ
Domain name configuration
The main modification template:
templates:
- "templates/postgres.template.yml"
- "templates/redis.template.yml"
- "templates/web.template.yml"
- "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
- "templates/web.ssl.template.yml"
#- "templates/web.letsencrypt.ssl.template.yml"
- If SSL support is required,
"templates/web.ssl.template.yml"
needs to be imported. - If you need free domain name certificate update,
"templates/web.letsencrypt.ssl.template.yml"
needs to be imported.
At the same time, open the port as needed:
## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
- "80:80" # http
- "443:443" # https
SSL certificate configuration
First make sure that the file directory mapping is correct:
## The Docker container is stateless; all data is stored in /shared
volumes:
- volume:
host: /var/discourse/shared/standalone
guest: /shared
- volume:
host: /var/discourse/log/var-log
guest: /var/log
Similar to this directory mapping, place the certificate file in the corresponding ssl directory and check whether the two file paths are correct:
/var/discourse/shared/standalone/ssl/ssl.crt
/var/discourse/shared/standalone/ssl/ssl.key
Reference for self-signed certificate:
openssl genrsa -aes256 -passout pass:gsahdg -out ssl.pass.key 4096
openssl rsa -passin pass:gsahdg -in ssl.pass.key -out ssl.key
openssl req -new -key ssl.key -out ssl.csr
# You are about to be asked to enter information that will be incorporated
# into your certificate request.
# What you are about to enter is what is called a Distinguished Name or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) []:CN
# State or Province Name (full name) []:Jiangsu
# Locality Name (eg, city) []:Nanjing
# Organization Name (eg, company) []:Xibang Tech
# Organizational Unit Name (eg, section) []:
# Common Name (eg, fully qualified host name) []:discourse.local
# Email Address []:willin@willin.org
# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
openssl x509 -req -sha256 -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt
The self-signed certificate needs to be trusted. Under macOS, double-click to open the .crt file, select Trust Always Trust, and you need to enter the password twice during the process.
Disable SSL
This step is not necessary. If you are too lazy to configure the SSL local self-signed certificate (such as me), you can test out the original configuration and comment out the SSL part.
# 先将配置从镜像拷贝出来
docker cp app:/etc/nginx/conf.d/discourse.conf ./discourse.conf
# 修改配置后执行
docker cp ./discourse.conf app:/etc/nginx/conf.d/discourse.conf
docker exec app nginx -s reload
The main modified part is to jump the https request back to http:
# attempt to preserve the proto, must be in http context
map $http_x_forwarded_proto $thescheme {
default $scheme;
https http;
}
Tombstone that jumps 80 to 443:
server {
listen 80;
# 将跳转的部分删除,并与 listen 443 的 `server` 合并
}
Build or launch failed
Reason for failure: git clone
error occurs after executing the 061e23fca2155f command, which occurs when the domestic server pulls the mirror. You can import the Github repository on Code Cloud or other domestic Git service providers, and then use the domestic mirror address.
Failure reason: The domain name cannot be accessed. Check the configuration or local HOSTS to see if the domain name has been bound.
Reason for failure: The startup is successful but cannot be accessed. Generally, it only appears during local debugging. Although the domain name can be started at will, pay attention to the rules (for example, if the SSL certificate is not configured, the nginx-error log will be there, such as the .dev
domain name, which I use when testing locally. Self-signed SSL certificate is always inaccessible but nginx-access log shows normal).
Visit the forum and perform initial configuration
Visit localhost or the domain name you configured, register an administrator user and perform initial configuration.
After re-entering through the email verification link, start initializing the configuration. After 11 steps are set, enter the management background - settings.
Select [Login] on the left sidebar
Turn off local login (recommended to be on the safe side, it can also be turned off after the single sign-on configuration is complete).
Go to plugin settings:
After clicking Settings, stay on the current configuration page (continue to set up later). Open the Authing console in a new window.
Authing SSO single sign-on integration
Discourse
in the Single Sign-On SSO Marketplace. Click Get App to enter the configuration.
The first step is to fill in the forum name, and the second step is to configure the login.
You only need to fill in a Redirect URI (note that http / https is differentiated here, if it is wrong, redirect_uri_mismatch
error of 061e23fca2175b will be reported), and other configuration items should be copied and filled into the Discourse plugin configuration. Example: http://discourse.local/auth/oauth2_basic/callback
(replace your domain name, keep the same path behind).
In addition, the items that need to be configured are:
oauth2 json user id path
: fill insub
oauth2 json username path
: Fill innickname
orusername
oauth2 json name path
: Fill inname
oauth2 json email path
: Fill inemail
oauth2 json email verified path
: Fill inemail_verified
oauth2 json avatar path
: Fill inpicture
oauth2 send auth header Send client credentials in HTTP Authorization header: unchecked
Save the plugin configuration.
After saving the access authorization, you can test it in a new privacy window.
Automatically bring Authing user information to the forum. Test success.
At the same time, the administrator account (the email address is the same as that of the Authing user) can be seamlessly connected to the Authing SSO single sign-on method.
So far, you're done.
extend
Through Authing SSO, you can also access in a codeless way:
- Collaboration tools: such as ZenTao, ProcessOn, Graphite Documents, Notion, Tower, Teambition, Feishu, Confluence, etc.
- Cloud computing resources: such as Alibaba Cloud, Tencent Cloud, AWS, Baidu Smart Cloud, Kingsoft Cloud, Huawei Cloud, etc.
- Developer tools: such as Gitlab, Jira, Coding.net, Bitbucket, Jenkins, etc.
- (Currently available in the app store) A total of 120 services/platforms/software
At the same time, it can also access various systems and software in the form of low code/zero code. Currently, the protocols supported by self-built applications are:
- OAuth 2.0
- SAML 2
- CAS
Using Authing SSO, it's easy to integrate single sign-on for NodeBB forums, Wordpress sites, and more.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。