I use SAML groups to authenticate users to different categories. When the groups change, the user has to login. I want to automate this in my IDP. When groups changes, it uses the API to logout user
curl -X POST “https://mydiscourse.org/admin/users//log_out.json” -H “Content-Type: application/json” -H “Api-Key: XXXX” -H “Api-Username: Admin” -v
With API-Token only with log_out right, this can be done very secure.
However IDP doesn’t have the numeric ID of user. It only has a unique number.
I already discovered how to logout user via console enter app and rails c
uaa = UserAssociatedAccount.find_by(provider_name: “saml”, provider_uid: “123456”)
user = uaa.user
user.user_auth_tokens.destroy_all
So my idea was to create a custom endpoint, with similiar usage
curl -X POST https://mydiscourse.org/custom/saml-logout/123456 -H “Api-Key: xxx” -H “Api-Username: Admin” -H “Accept: application/json”
This either just forwards received auth_token to official API, probably safest method. ID can be obtained via user.id (see rest above)
Or it executes
uaa = UserAssociatedAccount.find_by(provider_name: “saml”, provider_uid: “123456”)
user = uaa.user
user.user_auth_tokens.destroy_all
Are there simple plugins where I can simply paste this very small piece of code into? I am no ruby programmer, but this is are so few lines of code. This should be feasible in a few minutes.
Thank you very much for your help.