To start, I’d like to say that I’m not terribly familiar with SSO. I’ve been trying out various PHP SSO scripts, but I’m getting stuck on a small detail: I’d like to use Steam to authenticate the user rather than the usual username and password. I’m using Steam so that I don’t need to store usernames and passwords (added bonus of 2FA if the user is inclined). In my scenario, I currently only have two SSO brokers: my primary website and a Discourse forum. The Discourse software has the option of enabling SSO built in, so I’d like something that would be compatible with that. I’m just wondering if it’s possible to use Steam to authenticate with an SSO server, and hopefully get some pointers on how this can be done. I’d also like the Discourse forum to be signed in if the user is signed in to the website, so I believe this limits me to SSO rather than just a normal Steam login method via Discourse.
Currently, my sign-in system is rather disappointing. Users are only signed in for as long as the user’s Steam ID is in a $_SESSION var, which will log the user out rather often. The way I’m using my current script, it’s also probably pinging Steam servers for user info on each page load (been a while since I’ve put it together). I’m using the script from SmltH197’s SteamAuthentication. Instead of doing this, I’d like to have the SSO server cache data that my site uses after authentication, then use the good old cookie method to maintain a session. (I’ve not messed with $_COOKIE stuff yet, but I’m sure it won’t be terribly difficult to sort out). I’m sure I could use this script in a better manner, but not sure how to implement it into an SSO server.
After initial sign-in on the website, I store data from the login in my own database. The primary key is a generated UUID, and I also store avatar and other data that can be used by Discord’s SSO requirements (short of an email, but I’ll modify the login system to prompt for an email later if this looks plausible).
Thanks in advance! Sorry if this is a terribly naive thing to ask.