API request to users/by-external on private forum

I’m trying to make an API GET request to /users/by-external/:external_id.json on a login_required forum that is using SSO.

When the forum isn’t set to ‘login required’, the user is returned. When it is set to ‘login required’, instead of returning the user, the request is being redirected to /session/sso.

In the logs I’m seeing:

Started GET "/users/by-external/1.json" for at 2017-04-07 10:46:55 -0700
Processing by UsersController#show as */*
Parameters: {"external_id"=>"1.json", "user"=>{}}
UserField Load (2.6ms)  SELECT "user_fields".* FROM "user_fields"
Redirected to http://localhost:3000/session/sso
Filter chain halted as :redirect_to_login_if_required rendered or redirected

The problem seems to be happening in ApplicationController#redirect_to_login_if_required

When I check the values for request.format.json? and is_api? inside of the redirect_to_login_if_required method they are both returning false.

Is there any way to get this to work?

Are you using a valid admin API key and API username?


Thanks! I wasn’t using an API key or username. When I add them the user is returned.

Edit: I answered that too quickly. When I add the API key and API username to the request it’s no longer being redirected to /session/sso but it’s returning Discourse::InvalidAccess from lib/auth/default_current_user_provider.rb, line 79

After that, the next function call in my application is finding the user by their email address. Unfortunately, I’m making the call from WordPress, so the email address isn’t a reliable way to find the user.


I’ve looked at this some more. It seems that it’s not possible to make an API request to /users/by-external on a private forum. If it was possible to do it without authentication, it would be a security breach. With authentication, you need to know the API key and username of the user you are looking for by the external_id, but if you already have that information, there’s no need to make the request.

For my purpose, what I really need to know is the WordPress user’s Discourse id. The best approach to getting that seems to be to use a Discourse webhook to send the user data to WordPress when the user is created or updated on Discourse. That data can then be stored on WordPress.

Does it really reject the username system with the master API key?


Really? I can make success API request to /users/by-external on my forum which has login_required on.

I don’t get the point here. You can make API call by using a predefined username that you know for sure exists in your forum, such as system or admin user. Thus before you get any knowledge of any user in Discourse, you can make the API call to find out the information for a given ID from external SSO provider. That’s the point and why the API endpoint name is “by-external”.

1 Like

Yes it works! :slight_smile: The problem I was having was because I was escaping the URL before I sent it to Discourse.