Discourse SSO Provider
Current manager is acting up, likely due to lack of maintenance. edit: no it's not I'm lazy and don't want to fix it, so instead of creating accounts, why not just act like a SSO provider?
User clicks login button on Discourse, gets redirected to auth (if not already logged in, is prompted to log in) and if allowed to access Discourse, gets redirected back with account info (username=character name, email=email etc) to authenticate/create account as needed.
To lock out users when they lose access, auth can forcibly terminate sessions via API. Since auth won't know the discourse user account ID, it can look that up using the external ID provided during SSO (django user ID is what will most likely be used).
Same logic can be used to sync groups: find user by external ID, retrieve (and possibly store?) Discourse ID, sync groups.
Membership can be revoked on state change or auth account deletion as needed through the logout API by tying into the existing state change receivers..