Discourse OpenID Connect

fred.fred · February 6, 2023, 3:12pm

Hi, does auto provision of user accounts work with the official OIDC plugin?

I am on the business trial and I want to hook up our Fusion Auth instance using OIDC.

I have the settings here - Discourse OpenID Connect - #200 by tobiaseigen

except for enable_local_logins = true.

However, when I try to login from our SSO to Discourse trial with a fresh SSO account I get

Sorry, access to this forum is by invite only.

If I create the account beforehand in Discourse, then click through it all works.

Is there something I am missing to allow for provisioning where users click over? Or is this even possible?

Thanks.

tobiaseigen · February 6, 2023, 4:14pm

Can you check if the invite only admin setting is selected? That may be preventing accounts from being created.

fred.fred · February 6, 2023, 4:35pm

@tobiaseigen

Yep, that was it after much clicking around. Can you update your post for that part?

Now, I am trying to figure out how to get rid of the sign up/login in the middle if the user is not setup on discourse yet.

tobiaseigen · February 6, 2023, 4:58pm

Great! I would not rely on that reply. The first post which should have definitive instructions. If those are not clear enough/up to date we will have to work on that!

Glad you got it working.

snikch · February 20, 2023, 8:07pm

Is there a way to avoid “losing” the original route when logging in to a private post?

If we visit a private page and hit either of the login buttons on that page, when redirected back to the site, we end up on the categories page.

Avinash_Dane · March 10, 2023, 12:31pm

Hi, using OpenID connect plugin I am able to authenticate user where IdP is Keycloak. I want to map groups or roles (realm or client) associated with user in Keycloak to discourse.
Is it possible with OpenID connect plugin or is it possible with DiscourseConnect?
I am little confused between OpenID connect plugin and discourse connect. Please help.

Canapin · June 15, 2023, 11:46am

3 posts were split to a new topic: How to configure the OIDC to set the Username as the email account name or a username like value returned from my auth providers?

sebix1 · June 14, 2023, 8:14pm

I managed to connect GitLab and Microsoft (Azure) with this plugin. btw: for the Azure AD service, make sure to use the “Application Client ID” as client id, not the secret ID or value).

How is it possible to connect Discourse with two OIDC providers, e.g. GitLab and Azure?

EDIT: I managed to get GitLab Login working with OAuth2, so my question is now more “theoretical”.

Headless · June 16, 2023, 5:30am

How exactly do you use the ‘claims’ here?

I am not entirely sure how and what that config option is used for.

pfaffman · June 16, 2023, 5:35am

I think that you would need to fork the plugin and change its name to be able to configure it twice. Maybe you’d fork it and hard code it for one of those services.

Headless · June 17, 2023, 2:18am

Is this plugin also releveant or connected to Discourse Connect at all?

I noticed that if I use the discourse connect override name or username settings, and also affects this plugin. I looked in the source code of the plugin but could not find anything related to those settings.

david · June 17, 2023, 7:13am

There’s no connection to DiscourseConnect. The auth_override_* settings apply to all authentication methods. The code for that is part of Discourse core, so that’s why you won’t see them mentioned in the plug-in’s code.

Headless · June 17, 2023, 7:28am

oh gotcha, makes sense. thanks!

xgp · July 26, 2023, 8:20pm

Hi @david Thanks for this plugin. I’m getting it configured, and I have a few questions:

Is it possible to change the name of the provider from “OpenID Connect” to a name that is indicative of my authentication provider?
Is it possible to force users to use the OpenID Connect provider and eliminate the ability to create a user with username/password? Our goal is to only allow users that already have an account with our identity provider to use our Discourse instance.
If #2 is true, is it possible to circumvent this screen/modal altogether and immediately redirect to the configured OpenID Connect provider when “Log In” is clicked?

xgp · July 26, 2023, 8:29pm

I answered #2 myself. It looks like you can disable “local logins” (i.e. username/password) in the settings:

sebix1 · July 26, 2023, 9:40pm

Yes.
At the openid connect enabled setting, the text says ... Customize user interface text here and the link is /admin/customize/site_texts?q=js.login.oidc

xgp · July 27, 2023, 6:49pm

#3 happens automatically when you disable local logins.

Hyan · August 18, 2023, 7:25am

Hi @david,

Can you please take a look at the issue mentioned in following post? I would like to use OIDC plugin over OAuth basic. But I face the same issue - cannot pass parameters to /authorize request. I put the value in plugin in format of foo=bar.

Hyan · August 21, 2023, 12:45am

Hi,
Is someone ever able to configure OIDC with authorize parameters? Or I have to change to OAuth basic plugin? Many thanks!

manavb · August 23, 2023, 6:16pm

Hey @Avinash_Dane Were you able to figure this out ?