Posting in this topic, as I am not allowed to post to Ideas. (If an admin is willing to move this I’d be super thankful 
)
I would love for Ghost to expose an OpenID Connect Provider for authenticating members.
Benefits
If this was implemented I believe it would lead to a lot of flexibility in how people utilize Ghost, as it allows unlimited extendability for custom use cases without bloating the Ghost code base with features that only apply to a nieche audience and without people having to run modified versions of Ghost to botch on additional features.
Example Use Cases
- A blog doing moto tours (like what I plan to do) could link to an external download base for providing GPX tracks for members
- A news blog may provide mini-games for members (similar to what New York Times is doing)
- A creator could link a video platform providing early access to new videos to paying members
Flow Description
- User visits external service (ES)
- ES redirects user to Ghost
- Ghost authenticates the member
- Ghost redirects the member back to the ES callback URL including an ID Token (JWT)
- ES parses the JWT, which includes the member’s name, email address and membership tier
- ES can now provide the member features tailored to them and their membership
Notes and Stuff
- Ghost could have this in the Custom Integrations
- The feature could be implemented in steps, maybe first only allowing a subset of the OpenID Connect Specification
- Maybe it’d be beneficial to expose membership labels as roles in the ID Token
- Applications could also be limited to a subset of membership tiers with a notice being displayed if the member’s tier is not permitted to access the application
I’d love to hear what the community thinks of this! If you have any use case for this, feel free to share it so others can get an idea for what value this feature would bring for them and their publication!