Configure sign up and log in with Auth0 using the OAuth2 Basic Plugin

(oauth2_basic) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

Any ideas?

Is it possible to make Auth0 the only possible way to register and login?

Yes, just disable all the other login methods. (including the enable local logins setting)

1 Like

Is it possible to just redirect to the Auth0 signup and not display the basic signup form?

If you want to hide all the Discourse login/signup UI, then you can turn off the enable local logins site setting

1 Like

Thanks David. I did that but I’ve noticed that when I sign up using the modal and get redirected back to Discourse, it prompts again for a username and other details so it doesn’t look like Auth0 is passing that information back to Discourse. I’m wondering if the solution is to keep the modal simple with just email address and password on the Auth0 modal for registration and get the rest of the details on Discourse.
Problem is we want to keep the user data in one place using a custom database attached to Auth0.

how can i set logout redirect to i cant found anything about logout

To only require email address validation if the user hasn’t already confirmed it in Auth0, the oauth2 json email verified path value is email_verified.

I found this by enabling the oauth2 debug auth setting and inspecting the logs at <DISCOURSE_URL>/logs. When I logged in using an unverified account, the body looked like this

OAuth2 Debugging: 
user_json: {
  "sub"=>"auth0|XXXXXX", 
  "nickname"=>"YYYYY+unprovenauth", 
  "name"=>"YYYYYY+unprovenauth@ZZZZZZ.com", 
  "picture"=>"https://via.placeholder.com/150", 
  "updated_at"=>"2022-09-21T07:50:40.172Z", 
  "email"=>"YYYYYY+unprovenauth@ZZZZZZ.com", 
  "email_verified"=>false
}
1 Like