Does `sso overrides groups` work with Oauth2?

I would like to use this feature. We’re on the Business hosted plan, so SAML is not available to us, so we’re using Oauth2 / OpenID Connect. I believe I have everything configured correctly (sso overrides groups is on, and oauth2 scope is set to openid profile email https://id.fedoraproject.org/scope/groups).

I am a little confused about how Discourse uses the word SSO and what options appear where. However, we’re using sso overrides username and that works. Should I expect this to as well?

1 Like

The sso overrides groups setting does not work with OAuth2. It only works with Discourse’s implementation of SSO: DiscourseConnect - Official Single-Sign-On for Discourse (sso). We are in the process of renaming Discourse SSO to DiscourseConnect to avoid confusion around this issue.

Ouch, that’s unfortunate. The rename will definitely help reduce confusion, but doesn’t help my needs. Is this limitation intentional or it just not implemented?

The setting uses a separate code path from what’s used with OAuth2 logins. Syncing groups via OAuth2 hasn’t been implemented. Being able to sync Discourse groups with groups from an external site has a lot of use cases with Discourse, so hopefully it’s something that can be implemented in the future. For now, your only option is to manage group membership via the API.

So, we have some very early potential patches for implementing groups with OAuth2:

:warning: However since we’re using the hosted plan we don’t have a quick staging environment in which to test them, so they’re completely theoretical. Will try to get such an environment set up sometime soon but it is literally no one’s day job, so if it happens that anyone else could help review and test these that would be amazing.

1 Like

If you submit those as PRs against our repository we will review. Can’t guarantee that it will be merged, but at least a review will happen.

1 Like

Awesome, thanks. Will try to get either a local test or some other kindly volunteer to actually see if they work first and remove the :warning:.