Is it intended that a user is still able to login with the local password? Let’s say a user creates an account via oidc login. At this point everything is fine, the user can log in via the oidc provider and the account is protected via 2fa enforcement on the oidc provider as well.
Now, the user set a local password for this oidc connected account via the password reset email feature. After setting the password, login is possible using the local password and oidc, but the local login is not 2fa protected and potentially insecure. To make it even worse there seems to be no way back, after setting a local password users can’t remove it again, and they can also not setup 2fa because this will disable social logins. I would like to have an option to disallow local logins for oidc users and to be even more strict an option to disallow all other social logins as well to make oidc login mandatory for oidc connected accounts.
Hello, I managed to make the plugin work with my SSO openID but it doesn’t come filled in the username field of the other system or email among other fields…
I imagine that I should configure something in the “openid connect claims” field, but I don’t know how to configure this field directly. Can someone give me an example? Here are some prints of how my project is:
Great! I would not rely on that reply. The first post which should have definitive instructions. If those are not clear enough/up to date we will have to work on that!
Hi, using OpenID connect plugin I am able to authenticate user where IdP is Keycloak. I want to map groups or roles (realm or client) associated with user in Keycloak to discourse.
Is it possible with OpenID connect plugin or is it possible with DiscourseConnect?
I am little confused between OpenID connect plugin and discourse connect. Please help.
How can I configure the OIDC to set the Username as the email account name or a username like value returned from my auth providers. In below screenshot, the Username user2091 looks like generated from a pattern, which isn’t what I want (It’s not editable neither probably caused by some settings I did). How can I make it as “abc” if the email return as “abc@example.com”?
In my discourse OIDC config, I only set openid email profile besides the minimal config required like example. Should I set something else,
for example, openid connect claims for something?
The Discourse OIDC plugin will use the ‘nickname’ claim provided by the identity provider. So you’ll need to review the documentation for your identity provider and work out how to make it send the ‘nickname’ value that you’d like.