We have a private category in our Discourse instance that is restricted to a specific user group. We created a link so new users can access this category after logging in through OAuth2.
However, when new users who do not yet have a Discourse account click the link, they see this message:
“Sorry, access to this forum is by invite only.”
Because of this, they cannot proceed to the OAuth2 login flow and never reach the category. Existing users can access it normally.
We want new users to be able to sign in via OAuth2 and then be added to the appropriate group so they can see the category—but currently Discourse blocks them before login.
What we need help with
Why is the site showing “invite only” even though we want to allow OAuth2 login for new users?
Is there a setting like oauth2 allow uninvited users or invite only that we need to adjust?
What is the correct setup if we want:
the site not to be invite-only,
OAuth2 users to sign in as new accounts, and
group permissions to restrict category access after login?
Any guidance on properly configuring OAuth2 + group-based category restrictions would be appreciated.
Hi — could you please check the Discourse site setting invite only and disable it if it’s enabled?
Disabling invite only will allow new users to sign in or register using OAuth2.
Once they’re signed in, you can use your group-membership rules (automation or manual assignment) to grant them access to the private category.
I disabled Invite Only and created a group invite link for a private category. When new users click the link, they log in through our OAuth2 SSO, but they are not automatically added to the group—so they still cannot see the category.
Need help understanding why group invite links do not add new SSO users to the group, and how to ensure new OAuth2 SSO users are automatically added when using the invite link.
We recently had a similar issue and resolved it by disabling the “OpenID Connect match by email” option in the OpenID Connect plugin settings.
The main difference in our case is that we use a self-hosted Authentik instance as SSO, and we have an Authentik webhook that creates a Discourse account for new users once their Authentik account is set up. In this webhook, the Discourse account is created, then added to Discourse groups based on the groups the Authentik account has access to.
Other relevant settings (different from default values) we have in place are:
