Discourse integration for Microsoft Teams?

Apparently, Microsoft Teams is the fastest growing product in Microsoft’s history and in comparison to some of the other collaboration suites and enterprise social networks I kinda see why. However, when it comes to discussions, it is still miles away from discourse and chances are it will never catch up. Also, teams in Teams are currently limited to 2500 members and although that limit will be increases to 5000, it still means that it is not suitable for organization-wide discussions in larger organizations (discussions in Teams are only possible within teams, not across teams. So for everyone in the organization to be able to see a discussion, everyone has to be a member of a single team).

Discourse could fill these gaps but in order to properly integrate with Teams it would have to run in a Teams tab, which, I suppose, is an iframe.

I understand that discourse currently refuses to run in an iframe for security reasons but I wonder if certain iframes (like those in Teams) could be an exception?

3 Likes

No idea until paying customers start asking us for it. None have yet.

4 Likes

So you are saying it can be done but it is non-trivial?

I think you totally buried the lede here :wink:

Removing iframe busting code is technically possible but not a trivial thing to do

3 Likes

I’m standing on the hose. :woozy_face:

I didn’t assume that what would need to be done is to remove the “iframe busting code” entirely but to disable it selectively in certain contexts.

1 Like

We would absolutely love it. A whole swath of employers in my field have just signed up to Teams, and it looks to be big.

Having an integration between Discourse and Teams would mean that we can get our new Discourse forum working brilliantly. At the moment it is Discourse vs Teams as we are just setting things up. We have compelling international collaboration reasons for using Discourse, but I fear without an integration it will fail to fly.

Please do it!

3 Likes

What does “please do it” mean? What integration could there be other than SSO which already works, assuming you log in to existing internal systems using oauth 2 or ldap?

Forgive me as I am quite ignorant of both Discourse and Teams. But learning fast.

I meant doing the work to enable the running Discourse from a tab as in the first post of this thread:

5 Likes

Just to clarify what is happening here, we ship a header with Discourse called:

X-Frame-Options: SAMEORIGIN

This stops sites adding yours site as an IFRAME which is a filthy SEO trick some people do to steal page rank and causes overall levels of confusion and do nasty things like clickjacking:

What I strongly support adding to Discourse is some ability to customize this header:

In particular we could allow you to define:

X-Frame-Options: allow-from https://my-team-site.team.microsoft.com

This particular request does not come up too often, but I do support amending it. It is a bit of a tricky change cause we do need some defense in depth here, some of our assets are delivered not via the app and we can not swap in the magic value there.

6 Likes

Sure we could have a site setting that simply removes X-Frame-Options to start with. Default off of course, but once you turn it on, you opt in to giving up all framing protection.

4 Likes

This seems quite the nuclear option. If it is possible, I would prefer Sam’s suggestion of allowing some URLs while still excluding the rest.

3 Likes

some URLs is not going to happen for a while, it requires CSP changes and we are not going to get into this right now:

That said we will allow * for everything, domain.com for a single domain or blank by default.

3 Likes

For us,

will be fine - thank you for listening! We are unlikely to be victims of clickbaiting as our networks are all private.

When do you think that this will be live?

This is why it’s not a big security concern to whitelist all domains @tobiaseigen , which is what I figured would be the case.

1 Like

This sounds very promising!

I suspect my company is going to end up in Teams too once the pressure to migrate away from Skype for Business beats the security concerns of moving users to a cloud service.

I have a goal of augmenting our traditional Outlook/Exchange e-mail with Discourse and finding a better chat tool than SfB for the daily high speed bot-assisted operations chat, voice and screen sharing (stuff that is outside the scope of Discourse).

If it becomes easy to link Discourse and Teams together that could make it a really nice combination. We already have excellent SSO plugins for Azure and traditional AD to make the user experience pretty seamless :slight_smile:

Hi @codinghorror @sam,
Just wondering if anyone’s taken this any further in the past year?
Has the option to modify/remove X-Frame-Options been implemented?
Has anyone managed to do this cleanly with SSO?

Thanks guys!

1 Like

It’s done. Now you can remove it by enabling the allow_embedding_site_in_an_iframe site setting.

https://github.com/discourse/discourse/commit/f7084a4339e2667f644cffcfea61cc3c69521bec

7 Likes

Thanks Vinoth! Much appreciated.

3 Likes