Disable email verification for SSO

Hey,

I’ve set up discourse to use Auth0 as the SSO provider. The problem I have is that when a user registers they are recieving two verification emails. One from auth0 and one from discourse.

Is there anyway to disable the one from discourse?

Thanks in advance

If email addresses are being verified by Auth0, you can disable Discourse verification emails by selecting the oauth2 email verified site setting. There is a reference to that setting in this post: How to use Auth0 with the OAuth2 Basic Plugin.

3 Likes

Thanks for the answer @simon but I’m using SSO not Oauth2

2 Likes

The term SSO gets used for a few different authentication methods. This has caused confusion a few times in the past.

If you are using the Discourse implementation of SSO, then email verification is controlled by the require_activation SSO parameter. Set that parameter to "false" to bypass email verification.

3 Likes

Thanks again @simon

I want to avoid disabling it completely. At the moment I have it set up so that require_activation returns true false based upon whether they have been verified by auth0. This works fine and after they have clicked on the auth0 email the next time they login they get verified on discourse.

So ideally it would just be suppressing the email unless I’m missing something

1 Like

That makes sense. Our WordPress plugin handles email verification in the same way.

If you want to see how the require_activation value is used by Discourse, have a look at this file: https://github.com/discourse/discourse/blob/master/app/models/discourse_single_sign_on.rb#L81. You’ll see that when require_activation is set to "false" when a user is first created via SSO, an active user will be created by Discourse. If it is set to "true", the user will not be activated until they click the link in the Discourse activation email.

Once a user is set to active on Discourse, the only thing that should cause a user to need to be reactivated is if you have enabled the sso_overrides_email site setting and the user updates their email address on your SSO provider site.

When set to "true", require_activation also prevents Discourse from matching existing users to users from your external site based on their email address. This can cause issues when SSO is implemented after users have already been created on the site with username/password account creation.

1 Like

Thank you that makes sense, however I’m not sure how this stops the “verify email” email from discourse getting sent?

I just want the one from auth0 to be sent

To only have the verification email sent from your SSO provider site, users will need to register on that site and verify their email address before they first login to Discourse. You will then be able to set the require_activation parameter to "false" for those users. They will be created as active users on Discourse and not get sent the Discourse activation email.

2 Likes

This doesn’t make sense. How do I make them verify an email before the first login to Discourse?
My website already takes care of email verifications, how do I disable Discourse from sending verification email, but still showing user a message that they need to authenticate?

DiscourseConnect assumes that you are validating email addresses on your website. As long as you are doing that, do not set the require_activation parameter in the SSO payload. If that parameter is not in the payload, users will be logged into Discourse without an activation email being sent to them.

1 Like

Yes, but then Discourse will assumes they are validated, which might be not true if user went to forum and forgot or decided not to validate an email. If website sets require_validation to true, meaning user has not yet validated their email on website, but definitely received a validation link, so no need for Discourse to send it again, but it will because of this parameter.

Basically problem only arises if user goes to Discourse before validation. So right now I basically have to choose out of two options:

  1. User receives only one validation email, but will be treated by Discourse as validated, which is not ideal, because they might not finish validation.
  2. User receives two validation emails, but will be properly validated by both forum and website. This option is also not ideal, but is definitely better out of two.

There is a third option: add a switch that works only if SSO is enabled, disabling verification email from Discourse (but leaving an error page that tells user that they are not verified)

Ideally, when a user creates an account on your website, you will validate their email address by having them respond to an activation email that is sent from your website when the user registers. If, for some reason, you allow users to create accounts on your website before they have validated their email address, you can set the require_validation parameter conditionally in the SSO payload. If the user has validated their email address, set require_validation to false, or just leave out the parameter from the payload. If the user has not validated their email address on your website, set the require_activation parameter to true so that they’ll be sent an activation email from Discourse.

That is exactly what I am doing and this is a problem. For instance, user registers, receives an activation email from the website, but instead of opening it and activating they decide to go to Discourse because why not. Then require_activation will be set to true, because user was not yet activated. But Discourse will decide that user needs another activation email, which is a problem, since there is already an activation email from the website waiting to be opened. Discourse should just display an error message stating user should check their email.