Disable "create account" screen for CAS logins

(Aaron Parecki) #1

I love the CAS login feature, which allowed me to quickly tie Discourse logins into an existing site.

The forum I’m setting up is for an existing community who already has logins on a site. When a user new to the Discourse install visits the site and clicks “Log In” they authenticate with CAS. Then they see this “Create Account” screen on Discourse: http://farm3.staticflickr.com/2810/11278133123_2f55c48bae_o.png

The experience would be better for these users if they did not see this screen, and instead their forum account was silently created behind the scenes. They shouldn’t need to have the concept of a separate forum account in this case.

I would like to see a config option that prevents the create account screen from appearing.

(Nick Fulcher) #2

This would be a great feature to have.

We have done something similar using our own OpenID provider and disabled all other log in methods. The last remaining thing would be removing the create account screen.

We would like their Discourse username to be the same as their username from the OpenID site. The problem right now is they can override that username on the create account dialog.

(eriko) #3

So I am working on the cas plugin the is probably going to replace the current integrated version. In the case that the cas server is providing the email address or when you can guess their email address (username@ALWAYSTHIS.DOMAIN) it would make sense to do this. So optionally disabling it would make sense.
@sam is this possible to do in an auth method?

(Vikhyat Korrapati) #4

When we were using OAuth2, to accomplish this I ended up monkey patching the authenticator’s after_authenticate callback to create a user account if one doesn’t exist after getting the authentication results. You could do something similar with the OpenID authenticator as well.

(eriko) #5

Do you have code I could look at?

(Vikhyat Korrapati) #6
Auth::OAuth2Authenticator.class_eval do
  def after_authenticate(auth_token)

    result = Auth::Result.new

    oauth2_provider = auth_token[:provider]
    oauth2_uid = auth_token[:uid]
    data = auth_token[:info]
    result.email = email = data[:email]
    result.name = name = data[:name]

    # Automatically create user account if needed.
    if @opts[:auto_create_account] && User.find_by_email(email).nil?
      user = User.create(name: name, email: email, username: name)

    oauth2_user_info = Oauth2UserInfo.where(uid: oauth2_uid, provider: oauth2_provider).first

    if !oauth2_user_info && @opts[:trusted] && user = User.find_by_email(email)
      oauth2_user_info = Oauth2UserInfo.create(uid: oauth2_uid,
                                               provider: oauth2_provider,
                                               name: name,
                                               email: email,
                                               user: user)

    result.user = oauth2_user_info.try(:user)
    result.email_valid = @opts[:trusted]

    result.extra_data = {
      uid: oauth2_uid,
      provider: oauth2_provider


Inject patch in Docker Installation
(eriko) #7

Thanks this was helpful and I have added something based on it to my plugin.

(shahid) #8

any updates on whether this feature has been implemented?

(eriko) #9

The CAS plugin was decomisdioned long ago. It has been replaced with cas to discourse SSO rails app that you need to run separately. CAS auth via the SSO api That said as the maintainer for it I encourage you to use the built in discourse SAML via the the SAML support of Jason CAS if you can instead.