Agree to TOS with SSO


We’re currently using SSO as the only way to log in to our Discourse instance but we still want to include an “agree to TOS” checkbox. The ToS for our forum is different than the main website so we need users to explicitly agree to the forum ToS.

I’ve created a required custom user field for this purpose, but it seems like SSO skips over these when creating new users, even when it is “required”. Is there any other way to make a user acknowledge that they’ve read the ToS? Or otherwise restrict to read-only until they’ve read it?

I’ve considered using a badge (similar to the “Read Guidelines” default), but as far as I can tell, badges can’t be criteria for restricting actions.

(Jeff Atwood) #2

If you are using SSO, shouldn’t your TOS confirmation be on the parent site?

It just doesn’t make sense to me that SSO would demand the child site enforce anything related to login.

(Kane York) #3

Agreed, @jsorc your SSO endpoint should refuse to sign the payload if the TOS has not been accepted. Redirect them to a forum TOS acceptance page (on your login site), then forward them back to /session/sso to restart the process (SSO tokens expire after 10 minutes).


Makes perfect sense. Thanks!