Bypassing Site.Setting.login_required for external SSO


(cpk) #1

I am wondering if there is a way to bypass SiteSetting.login_required and return a sig and payload. I am implementing login via a mobile app against a discourse instance with SSO enabled.

I have a working plugin that returns the nonce instead of redirecting, to be used later in the flow upon login success against the primary site. Looks something like this

def return_nonce
	nonce = DiscourseSingleSignOn.generate_url(params[:return_path] || '/')
	uri_array = Rack::Utils.parse_query(nonce)

	render json: uri_array

This only works with login_required off. Could this be function be modified to work with that setting set to on? Thanks!

(Sam Saffron) #2

wait, are you saying sso is broken if login required is true?

(cpk) #3

@sam, no not at all. There is simply a server side redirect before the render returns. We found a fix on the front end. Thanks.

(Kane York) #4

The combination of login required + sso means that all pages redirect to the SSO url, which is what you’re seeing.