Discourse OpenID Connect

Thank you @david, it works with custom policy, was hoping to go with much easier route of User flows, but that is out of our control to change.

Few of the suggestions for plugin:

  • Both Sign and Signup button redirect user to login page, in Azure B2C different page can be shown by appending parameter
1 Like

Hello,

Is there a way to set the discourse user avatar source to a field which is specified in the openID service?

Edit: we’re using keycloak

Hello,

I have a requirement similar to @Tomáš_Guba one : I would like to get value from a custom entry in user profile and use it in a [custom] user field.

In my personal case, i have a discovery document with a userinfo_endpoint

Is there something like that in the plugin roadmap ?

Thanks

Hi,

Is it intended that a user is still able to login with the local password? Let’s say a user creates an account via oidc login. At this point everything is fine, the user can log in via the oidc provider and the account is protected via 2fa enforcement on the oidc provider as well.

Now, the user set a local password for this oidc connected account via the password reset email feature. After setting the password, login is possible using the local password and oidc, but the local login is not 2fa protected and potentially insecure. To make it even worse there seems to be no way back, after setting a local password users can’t remove it again, and they can also not setup 2fa because this will disable social logins. I would like to have an option to disallow local logins for oidc users and to be even more strict an option to disallow all other social logins as well to make oidc login mandatory for oidc connected accounts.

Thanks.

Just to check - did you toggle the enable local logins admin setting?

That will disable local login for everyone, not what I want :slight_smile:

Usecase:

  • Mandatory login via oidc for employees
  • Community login via social login or local user registration
1 Like

it should be openid email

how can add 2 or more discovery documents. i already added for google and now i need to add for yahoo.

this worked for me

https://api.login.yahoo.com/.well-known/openid-configuration

Hello, I managed to make the plugin work with my SSO openID but it doesn’t come filled in the username field of the other system or email among other fields…

I imagine that I should configure something in the “openid connect claims” field, but I don’t know how to configure this field directly. Can someone give me an example? Here are some prints of how my project is:

I tried it still facing an issue, could you also share what kind of configuration is to be used on the Okta side also.

Thanks,
Gowthamraj

Hi, does auto provision of user accounts work with the official OIDC plugin?

I am on the business trial and I want to hook up our Fusion Auth instance using OIDC.

I have the settings here - Discourse OpenID Connect - #200 by tobiaseigen

except for enable_local_logins = true.

However, when I try to login from our SSO to Discourse trial with a fresh SSO account I get

Sorry, access to this forum is by invite only.

If I create the account beforehand in Discourse, then click through it all works.

Is there something I am missing to allow for provisioning where users click over? Or is this even possible?

Thanks.

Can you check if the invite only admin setting is selected? That may be preventing accounts from being created.

1 Like

@tobiaseigen

Yep, that was it after much clicking around. Can you update your post for that part?

Now, I am trying to figure out how to get rid of the sign up/login in the middle if the user is not setup on discourse yet.

Great! I would not rely on that reply. The first post which should have definitive instructions. If those are not clear enough/up to date we will have to work on that!

Glad you got it working. :sunflower:

2 Likes

Is there a way to avoid “losing” the original route when logging in to a private post?

If we visit a private page and hit either of the login buttons on that page, when redirected back to the site, we end up on the categories page.

Hi, using OpenID connect plugin I am able to authenticate user where IdP is Keycloak. I want to map groups or roles (realm or client) associated with user in Keycloak to discourse.
Is it possible with OpenID connect plugin or is it possible with DiscourseConnect?
I am little confused between OpenID connect plugin and discourse connect. Please help.

Hi there,

How can I configure the OIDC to set the Username as the email account name or a username like value returned from my auth providers. In below screenshot, the Username user2091 looks like generated from a pattern, which isn’t what I want (It’s not editable neither probably caused by some settings I did). How can I make it as “abc” if the email return as “abc@example.com”?

In my discourse OIDC config, I only set openid email profile besides the minimal config required like example. Should I set something else,
for example, openid connect claims for something?

1 Like

The Discourse OIDC plugin will use the ‘nickname’ claim provided by the identity provider. So you’ll need to review the documentation for your identity provider and work out how to make it send the ‘nickname’ value that you’d like.

2 Likes

Thanks @david. That’s my providers not return the value. Able to display the username from the providers now.

1 Like