Discourse OpenID Connect (OIDC)

tobiaseigen · July 16, 2025, 9:41pm

This plugin is now bundled with Discourse core as part of Bundling more popular plugins with Discourse core. If you are self-hosting and use the plugin, you need to remove it from your app.yml before your next upgrade.

hhf.technology · July 24, 2025, 6:52am

yes i did for a client.

Steradiant · March 14, 2026, 3:08pm

We would love to be able to synchronise some groups on Discourse with OIDC groups we have. We found that there has been a PR providing this functionality, but it was not considered further:
https://github.com/discourse/discourse/pull/34763/changes

Would it be possible to include this into Discourse’s functionality?

Steradiant · May 3, 2026, 7:43pm

Will users automatically be removed once they are no longer members of the respective group?

david · May 4, 2026, 11:10am

Yes they will

Steradiant · May 4, 2026, 11:41am

Hmm, this does not match my testing actually.

attalbialami · May 6, 2026, 7:31am

Hello all, I’m using the OpenID Connect plugin and trying to pass custom parameters in the /authorize request via openid connect authorize parameters, but it doesn’t seem to work reliably.

Is this officially supported? If not, what’s the recommended way to send custom context to the IdP ?

Thanks!
@david

sistason · May 14, 2026, 4:58pm

Hi,

the plugin works well for years, but I stumbled upon my first SSO user having a username ending in an underscore, e.g. a disallowed username.

That user cannot login to Discourse. I think OIDC then tries to create an account with a username just without the underscore. Which is fine, but if that account already exists (username foo exists, username foo_ cannot login because “Account already exists” error), there seems to be an impersonation (attempt) in some part:

The username foo gets an email that they tried to create an account or tried to change the email of an account but that email was already taken.

This is during first-login, e.g. account-creation via SSO, for foo_. So foo_ tries to create an account as foobut cant because the name is already taken. But why does the original foo now get a email-notification for that?

You just tried to create an account at \<discourse\>, or tried to change the email of an account to \<email of foo\>

Is there a solution for the problem of having username and username_ in OIDC, like configuring the way discourse handles invalid usernames during auth?

mixman68 · May 27, 2026, 4:34pm

Hello,

Thanks for last edits on this plugin, but how i can synchronize admins by oidc ?

Thanks

Topic		Replies	Views
Discourse OAuth2 Basic Plugin official , oauth2 , auth-plugins , included-in-core	31	65564	July 24, 2025
Use Discourse as an identity provider (SSO, DiscourseConnect) Integrations sso , discourseconnect , how-to	143	50654	November 9, 2024
Setup DiscourseConnect - Official Single-Sign-On for Discourse (sso) Integrations sso , discourseconnect , configuring , how-to	46	455892	May 27, 2026
Configure sign up and log in with Auth0 using the OAuth2 Basic Plugin Integrations sso , oauth2 , auth-plugins , how-to	73	19985	December 16, 2025
Well known support? SSO oauth2	0	496	May 28, 2023

Discourse OpenID Connect (OIDC)

Related topics