Configuring oauth2 with doxology

(Jay Pfaffman) #1

I’m trying to configure oauth2 with doxology.

here’s what they say a request should look like:


From the limited info I can get from their techs (“the api is not supported”), it seems that everything (?) is working except that the request Discourse is passing doesn’t include the scope. What I need, in terms of their example request above, is scope=basic%20email.

I’ve tried putting scope=basic email and scope=basic%20email and just scope=basic (which I think should at least give permissions to the ID, but is’ failing like this:

Started GET "/auth/oauth2_basic" for at 2017-11-21 21:17:25 +0000
(oauth2_basic) Setup endpoint detected, running now.
(oauth2_basic) Request phase initiated.
Started GET "/auth/oauth2_basic/callback?code=4babb01d3065497a35766d015597037a&state=d63533cc57c7d8e9a3e73e4effcba96e532062715d3adfe8" for at 2017-11-21 21:17:27 +0000
(oauth2_basic) Setup endpoint detected, running now.
(oauth2_basic) Callback phase initiated.
Processing by Users::OmniauthCallbacksController#complete as HTML
  Parameters: {"code"=>"4babb01d3065497a35766d015597037a", "state"=>"d63533cc57c7d8e9a3e73e4effcba96e532062715d3adfe8", "provider"=>"oauth2_basic"}
OAuth2 Debugging: after_authenticate response: 

creds: {"token"=>"9LoXFaen2N5TUM5UrGp4Em-MncARzCZab_ROrp6-hEd0DxuFK7MQRbxlwiPPkUJ2Aela1-aPXcRHn-07FWmW3g==", "expires_at"=>1516483047, "expires"=>true}
info: {"id"=>nil, "name"=>nil}
extra: {}
OAuth2 Debugging: user_json_url:
Completed 500 Internal Server Error in 84ms (ActiveRecord: 5.7ms)
OpenURI::HTTPError (401 Unauthorized)
/usr/local/lib/ruby/2.4.0/open-uri.rb:363:in `open_http'

I got this info back from some techs:

Is there something obvious I’m missing?

OAuth2 Basic Support
(Robin Ward) #2

The OAuth2 basic plugin doesn’t allow you to customize the scopes you want.

Were you adding it in authorize_options?

I believe we’d need to add a new option here based on site settings to pass custom scopes.

(Jay Pfaffman) #3

Thanks, Robin. That’s at least part of what I needed to know.

Yes, I was thinking that I could add that scope in authorize_options, but I’m inferring that’s not the case. Can you throw me a couple lines of code and I’ll see if I can fork it and make it work for them?

This is a group of physicians working to solve problems in Puerto Rico. Actually, they probably didn’t notice that they might qualify for your non-profit rate, which might make more sense for them than me (as I recall, they’d rather go with you in the long term anyway). At the budget they’ve given me I’m not keen on developing a custom plugin, but I guess it’s just a line or two and you can give me a hint, I can get them started with a proof of concept for their organization.

(Felix Freiberger) #4

It looks like you can just use an oauth2 authorize url like – at least I’ve been able to use this approach to authenticate with GitLab :slight_smile:

(I’ve been unable to observe any effect of the oauth2 authorize options setting, so I left it at the default.)

(Robin Ward) #5

I would try something like:

opts[:scope] = 'basic colleagues'

If that works, it should be extracted to a site setting.