Testing help: POP Forums integrated with OAuth identity provider
For a lot of years, consumers of my open source project, POP Forums, have asked about the best way to integrate with whatever they were working with in their environment. This usually landed them in a world of hacks involving disparate databases. Of course, there's a better way, and that's to use some kind of OAuth flow through an external identity provider. The groundwork for that has been around for a long time, in the shape of social logins. However, the idea here is that the external provider would be involved to provision accounts, eliminating any kind of signup flow.
I created an issue for this in 2020, and one contributor even did a pull request to accomplish this specifically with IdentityServer 4. I had done a talk about identity platform options at Codemash a month before, so this was definitely on my mind. But as this is not a use case that I specifically needed, it hasn't been a priority. Then identity came up at work again, and I figured I'd tackle this since it was in my headspace anyway.
To test this, there's a new page in the docs for OAuth-Only Mode, and the CI build package feed has the bits. Here's what I need from volunteers:
- Just try to stand it up.
- Let me know how it goes with any specific identity provider.
- I tested against Azure AD, exposing "groups" as "roles" to map admin and moderator roles. Being able to verify that your claims map to the roles, as described in the docs, is a big thing to validate.
- Assign and remove those claims and see that the roles come and go in the forum. For admin, there's a link to the admin area in the profile dropdown when you're an admin. When you're a moderator, every thread has moderator stuff at the bottom of the page.
- Change the name of a user in your ID provider, and login with it, see that the name gets updated in the profile. It won't update the name in old posts, but it should be correct going forward.
- Feel free to look for any kind of vulnerabilites.
- Be on the look out for any UI elements that are irrelevant, like password or email changing, or any email stuff at all.
If you find anything icky, fire off an issue on the Github. I have discussions enabled, so anything not an issue that you want to offer feedback on, that's a great place.
Thank you for your help!