Discourse OpenID Connect

Hi @balazsorban44, thanks for the reminder on this. I’ve done a first pass of reviewing the PR. If the author doesn’t have time to work on those things, then it’s likely something we can take on. I agree having PKCE support would be nice.

However, it’s worth noting: I don’t think Discourse is vulnerable to the “authorization code interception” attacks which PKCE protects against. Discourse authentication always happens in-browser over https, and does not use OS-level custom URL schemes which can be intercepted by other apps.

But of course, there is no harm in adding the extra layer of security

Not necessarily concerned about security.

I addressed the feedback here, keeping the original contributor’s history for credit: feat: PKCE support by balazsorban44 · Pull Request #86 · discourse/discourse-openid-connect · GitHub

Happy to finish the swing on it

Have you found a solution to this?

Unfortunately, no.

@swt2c I hacked it into the plugin by adding

  params << ["client_id", "<my-client-id>"]
  params << ["logout_uri", post_logout_redirect] if post_logout_redirect

after the params << ["post_logout_redirect_uri", post_logout_redirect] if post_logout_redirect line in plugin.rb.

Would be great to get official support for this!

@balazsorban44 thanks for taking this on! I just merged the PR, so we now have opt-in PKCE support in the plugin

hey Chris,
how did you integrate Authentik with this plugin. any insights will be helpful. we are struggling since couple of weeks to work it correct.

Hmm, I can’t remember something special. What is your problem exactly? Do you want to share some screenshots of your configuration (maybe via PM)?

thanks for replying chris. sure. will connect with you later in the week when my dev team is around who was working on authentik. main issues are with the flow and outpost.