Integrated identity

[nicksaahs]

I'm trying to use POPForums in a larger app (for a cohousing group), because it appears to be the best around (nice work, by the way)
In that larger app, I already have identity in place, but POPForum manages its own users and identity.
It's not so hard to change my own stuff to make a POPForum-user when there is one in my app, but I don't see what to override/alter/... to pass the identity of the user logged in to my app on to POPForum (that bundle of code is quite a puzzle to me). It seems obvious to make another UserRetrievalShim, but even then I'm struggling.
Right now, POPForums makes me login (which is bad enough) but it also for some reason logs off the user in my main app.

Also, obviously, I would want some of the items in the admin/account mgmt to not show up anymore.

Are there ways to get all this done without having to rewrite half of what you made?

[jeffputz]

It's using standard cookie authentication.

• When you use services.AddPopForumsMvc() in startup, that extension method configures the scheme with services.AddAuthentication().AddCookie...).
• When you login, it creates a claims principal and calls the httpContext.SignInAsync() method, which is in Microsoft.AspNetCore.Authentication. That uses magic, because it's configured, to create the encrypted token with the principal.
• You also configure app.UsePopForumsAuth() in startup, which is just a shortcut to use the PopForumsAuthorizationMiddleware.
• That uses the same plumbing to read the cookie (because that's what's configured) by using httpContext.AuthenticateAsync(), and rehydrates the principal into the HttpContext for the Request. Since it looked up the user anyway, it stashes the object in the context Items collection, which is where UserRetrievalShim is getting it.

Now, there is no simple way to swap out the entire identity system at the data tier level, because the user table is connected to profile and user activity tables. The way I would integrate is to have the source of truth identity system expose an OAuth endpoint, and configure the forum to use that. You'd have to modify it to remove the create account and regular login pages, and then using the IdentityController.ExternalLoginCallback() method as a starting point to provision a user if it doesn't exist, then do the login on the matching ID from the OAuth identity provider.

I've been thinking about some kind of flag to do all of this as the default. It seems like something a lot of people would like to have.

[nicksaahs]

Very kind of you to respond. I'm honestly meddling with stuff way above my skills, and some of what you write is damn near chinese to me (I'm figuring out identity and authentication as I go).

However: assuming I can properly populate the pf_PopForumsUser table from my own user table, I was hoping POPForums is always using UserRetrievalShim to check whether the user is logged in and/or to get its authorization (because by implementing and registering my own IUserRetrievalShim, I can just feed it my own "fake" PopForums.Models.User. Can you confirm this or suggest what else would be needed in this line of thinking?
If, on top of that, I manage to perform the same actions (logging of latest login etc) whenever the user connects to my app, I'm quite far along the way, no? Or do you see issues there?

If you feel my thoughts are going nowhere or my abilities lack, don't hesitate to call that out. I respect your work too much to waste your time.

[jeffputz]

The issue is that anything that I change going forward is going to be a pain for you to integrate. Tightly coupling the forum to your own application makes both hard to change. What I was describing, using an external identity provider, is a lot like pretending you're Google or Facebook. Identity is an area of expertise on to itself, but I think it's worth learning some basics. If you want to learn, mostly in isolation, what that looks like on the consumption end of things, check out my https://github.com/POPWorldMedia/POPIdentity project. Writing your own thing to surface an identity is a lot of work, which is why there are a number of commercial offerings for this. You can also use Azure AD (or whatever it's called now).

[nicksaahs]

I was a bit pigheaded and went ahead anyway. I got most of it working now. I needed some tweaking by injecting my own FakePopForumsAuthorizationMiddleware and ForumUserRetrievalShim and then just calling userService.CreateUser and profileService.Create whenever a user is registered in my main app. All in all very happy with the results so far.
I do plan to check POPIdentity sometime soon, though, even though the coupling is not all that tight, it appears.