Discourse OpenID Connect

Hyan · August 18, 2023, 7:25am

Can you please take a look at the issue mentioned in following post? I would like to use OIDC plugin over OAuth basic. But I face the same issue - cannot pass parameters to /authorize request. I put the value in plugin in format of foo=bar.

Hyan · August 21, 2023, 12:45am

Hi,
Is someone ever able to configure OIDC with authorize parameters? Or I have to change to OAuth basic plugin? Many thanks!

manavb · August 23, 2023, 6:16pm

Hey @Avinash_Dane Were you able to figure this out ?

JJ_IA · August 26, 2023, 5:17am

I haven’t been able to get this to work in LinkedIn. Curious if anyone else has? I get as far as logging into LinkedIn after being redirected there when clicking on the signin with…button and then “allowing” my app to use my email from LinkedIn, then I get “Sorry there was an error authorizing your account. Please try again.”

https:/discourse.mysite.com/auth/failure?message=invalid_credentials&origin=https%3A%2F%2Fdiscourse.mysite.com%2F&strategy=oidc

Geoffrey_Challen · September 1, 2023, 3:55pm

I’m currently not able to get Azure AD working with a common login endpoint.

I’m using the suggested discovery endpoint:

https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

However, this redirects users to my organizational login page, not to the common Azure AD login page that allows using @hotmail.com and other Microsoft accounts. Note that my provider is configured to allow those accounts, and I’ve been able to use them using the same client using NextAuth, so I think that this does work.

I’m not sure if the solution is to use a different discovery document, or something else? Any help would be appreciated .

sebix1 · September 1, 2023, 3:58pm

Do you really use {tenant} or some actual tenant ID?

Geoffrey_Challen · September 1, 2023, 4:47pm

LOL. I replace that with my tenant ID . Otherwise I’m pretty sure it wouldn’t work at all…

sebix1 · September 1, 2023, 4:50pm

Which one? The tenant consumers worked for us, while common didn’t.

wayway_way · October 16, 2023, 9:08am

I deployed it locally in source code according to the following link:

So should the redirect url be 127.0.0.1:4200/auth/oidc/callback or 127.0.0.1:3000/auth/oidc/callback?
When I write 127.0.0.1:4200/auth/oidc/callback, keycloak will prompt Invalid parameter: redirect_uri. I encounter csrf when I write 127.0.0.1:3000/auth/oidc/callback

sebix1 · October 16, 2023, 9:11am

What is running on ports 4200 and 3000? The port of the redirect_uri setting in keycloak should be the one of discourse.

wayway_way · October 16, 2023, 9:14am

The discourse server runs on port 3000, and the discourse embercli runs on port 4200.

sebix1 · October 16, 2023, 9:16am

Then the redirect_uri should be 127.0.0.1:4200/auth/oidc/callback

wayway_way · October 16, 2023, 9:20am

But this will encounter csrf

The code causing the issue is here

github.com

omniauth/omniauth-oauth2/blob/c830138e399b207ad3ce832ed4db51e67030cdcb/lib/omniauth/strategies/oauth2.rb#L86


      
          
            params
          end
          
          def token_params
            options.token_params.merge(options_for("token")).merge(pkce_token_params)
          end
          
          def callback_phase # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
            error = request.params["error_reason"] || request.params["error"]
            if !options.provider_ignores_state && (request.params["state"].to_s.empty? || !secure_compare(request.params["state"], session.delete("omniauth.state")))
              fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
            elsif error
              fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
            else
              self.access_token = build_access_token
              self.access_token = access_token.refresh! if access_token.expired?
              super
            end
          rescue ::OAuth2::Error, CallbackError => e
            fail!(:invalid_credentials, e)

I debugged the source code of this plugin and found some clues. Then I checked the discourse log

It seems that the sessionid has changed, causing session[“omniauth.state”] to be lost. So why sessionid changes?

Frank_L · October 25, 2023, 2:38am

Does anyone know if it’s possible to map the name claim rather than the preferred_username claim to the username (nickname) displayed during signup and shown in the ‘Create Account’ pop-up?

Here is the information we receive from Keycloak:

{
 ..
  "scope": "openid email",
  "sid": "f0f20a2a-19e5-4581-8a45-c1250376f226",
  "email_verified": true,
  "name": "Ted Bush",
  "preferred_username": "tb",
  "given_name": "Ted",
  "family_name": "Bush",
  "email": "ted.bush@example.com"
...
}

By default, the preferred_username (in this example, “tb”) is used as the username (nickname).

However, we would like to configure the integration in such a way that the name (“Ted Bush”) is used as the username (nickname) instead.

Thanks.

Frank_L · October 28, 2023, 3:50am

I see the “Use a user’s full name when suggesting usernames.” setting in the Users setting section. But it seems to have no effect for OpenID Connect?

Or does this work for anybody?

simon · October 28, 2023, 7:20am

Yes, it works for me when testing it with the Google OAuth2 server as the OpenID Connect provider.

I think the issue you are running into is related to how the Discourse username suggester code works. Keycloak is returning a preferred_username. If a preferred_username is set in the userinfo that’s returned from the identity provider, it takes precedence over the value of either the name or given_name/family_name fields.

For reference, the problem is happening here (preferred_username is set as the value of username in a method that gets called before this):

github.com

discourse/discourse/blob/main/lib/auth/result.rb#L185-L190


      
          def username_suggester_attributes
            attributes = [username]
            attributes << name if SiteSetting.use_name_for_username_suggestions
            attributes << email if SiteSetting.use_email_for_username_and_name_suggestions
            attributes
          end

Then here:

github.com

discourse/discourse/blob/main/lib/user_name_suggester.rb#L7-L27


      
          def self.suggest(*input, current_username: nil)
            name =
              input.find do |item|
                parsed_name = parse_name_from_email(item)
                break parsed_name if sanitize_username(parsed_name).present?
              end
          
            name = fix_username(name)
            find_available_username_based_on(name, current_username)
          end
          
          def self.parse_name_from_email(name_or_email)
            return name_or_email if name_or_email.to_s !~ User::EMAIL
          
            # When 'walter@white.com' take 'walter'
            name = Regexp.last_match[1]
          
            # When 'me@eviltrout.com' take 'eviltrout'
            name = Regexp.last_match[2] if GENERIC_NAMES.include?(name)
            name
          end

Since the value of preferred_username is the first argument that gets passed to the username suggester code, it will get used. That means that the use_name_for_username_suggestions setting isn’t having any effect for this case. I think it was intended to catch the case of no preferred_username being passed back from the identity provider.

I’m not seeing a good workaround for this, unless you can prevent the preferred_username from being passed to Discourse from Keycloak.

Frank_L · October 29, 2023, 2:08am

@simon, you are correct; I have verified what you mentioned using a test Keycloak instance. When I configure Keycloak to omit preferred_username from being passed to Discourse, the first and last names are indeed used by the Discourse username suggester.

However, we cannot configure our production Keycloak in this manner, as the client configuration is shared with several other clients, not just Discourse.

It would be beneficial to have a way to influence this behaviour within the plugin.

JJ_IA · November 10, 2023, 6:36am

I’m still having trouble with this. I’m getting the following error:

(oidc) Authentication failure! invalid_credentials: OAuth2::Error, invalid_request: A required parameter "client_secret" is missing {"error":"invalid_request","error_description":"A required parameter

I’t san omniauth error and appears to be related [potentially] to this: No longer works with oauth2 gem v2.0+ · Issue #68 · decioferreira/omniauth-linkedin-oauth2 · GitHub

Help is appreciated!

weber-s · November 15, 2023, 9:00am

Hello there!

I’m using this plugin to sync user from a django site, but the avatar is sync only on creation. If user change it in django, it is not sync in discourse.

In fact, in Discourse managed_authenticator.rb, the retrieve_avatar return early if the user already have a custom avatar setup:

  def retrieve_avatar(user, url)
    return unless user && url
    return if user.user_avatar.try(:custom_upload_id).present?
    Jobs.enqueue(:download_avatar_from_url, url: url, user_id: user.id, override_gravatar: false)
  end

Did I missed something or discourse-openid-connect can not update avatar on login?

I also have question for the “website”, “location” and “bio_raw”. DiscourseConnect sync it on login, can openidconnect also do it? All are supported in the oidc claims

cheers!

Discoder · November 16, 2023, 9:55pm

I’m receiving the following errors:


(oidc) Authentication failure! openid_connect_discovery_error: OmniAuth::OpenIDConnect::DiscoveryError, Discovery document is missing

OIDC Log: Fetching discovery document raised error Faraday::ConnectionFailed FinalDestination: lookup failed

I have my plugin setting “openid connect discovery document” set in the Admin Settings as: https://<auth_provider>/.well-known/openid-configuration and I can successfully hit it in the App Docker container that is running with a Curl command and even in the Rails console.

Any idea why I’m receiving these errors? Can’t integrate properly because of this. Also, I’m behind the intranet and using a company proxy if that is any help. Like i said, with the proxy eneabled in the ENV of the container, i can properly hit the “openid connect discovery document” url.