Problem description: Phabricator lacks a method to initiate OAuth 2.0 SSO from a third party website.
We have an "Intranet" portal, which has links to various web-based applications we use. Phabricator is one of the applications. Users can click the links on the portal, and they'll be redirected to the web application in question, with seamless Single Sign-On (SSO). SSO for the applications is often implemented by using OAuth 2.0 authentication or OpenID Connect against the Identity Provider (IDP) we use. Now the actual problem is that Phabricator does not provide a way to "initiate" the OAuth 2.0 SSO login from Third Party websites (such as our Intranet portal). Instead when users click the "Phabricator" -link on our intranet portal they'll be redirected to the Phabricator login page, where they need to click *again* to choose the authentication method or manually fill in their username/password. We want to make this easier.
OpenID Connect specification (based on OAuth 2.0) describes a method for "Initiating Login from a Third Party", which is exactly what's missing from Phabricator: http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin
Basicly Phabricator needs to provide an URL, say, "https://phabricator.domain.tld/auth/initiate_login", so one can link to that URL from the Third Party website (our portal), which then allows initiating easy and automatic SSO login for users, using the existing external OAuth authentication providers available and configured in Phabricator server. This same method works for *all* of the existing external OAuth authentication providers (Google, Github, Amazon, Facebook, Azure, etc).
As you can see from the OpenID Connect Core Specification the proposed "initiate_login_uri" needs to accept "iss" (=Issuer Identifier) parameter, which basicly tells which OAuth authentication provider to use when initiating the SSO process. An example URL to link to from thirdparty website to initiate the SSO process from Phabricator would be:
https://phabricator.domain.tld/auth/initiate_login?iss=https://accounts.google.com
(well, the parameter needs to obviously be URL encoded, but you get the idea).
I've implemented a proof-of-concept about this feature by hacking PhabricatorAuthStartController.php to provide the mentioned "initiate_login" uri, which then verifies if the "iss" parameter URL can be found from the configured OAuth authentication providers in Phabricator, and if found, makes a redirect to that OAuth authentication provider starting the SSO process, which then continues just like it normally does between Phabricator and the OAuth Identity Provider. The POC implemention seems to work OK.
Does this sound like something that Phabricator upstream wants to have integrated? Or is there already some existing way to accomplish this? Any feedback? Thoughts? :)