Does `sso overrides groups` work with Oauth2?

I would like to use this feature. We’re on the Business hosted plan, so SAML is not available to us, so we’re using Oauth2 / OpenID Connect. I believe I have everything configured correctly (sso overrides groups is on, and oauth2 scope is set to openid profile email

I am a little confused about how Discourse uses the word SSO and what options appear where. However, we’re using sso overrides username and that works. Should I expect this to as well?

1 Like

The sso overrides groups setting does not work with OAuth2. It only works with Discourse’s implementation of SSO: DiscourseConnect - Official Single-Sign-On for Discourse (sso). We are in the process of renaming Discourse SSO to DiscourseConnect to avoid confusion around this issue.

1 Like

Ouch, that’s unfortunate. The rename will definitely help reduce confusion, but doesn’t help my needs. Is this limitation intentional or it just not implemented?

The setting uses a separate code path from what’s used with OAuth2 logins. Syncing groups via OAuth2 hasn’t been implemented. Being able to sync Discourse groups with groups from an external site has a lot of use cases with Discourse, so hopefully it’s something that can be implemented in the future. For now, your only option is to manage group membership via the API.


So, we have some very early potential patches for implementing groups with OAuth2:

:warning: However since we’re using the hosted plan we don’t have a quick staging environment in which to test them, so they’re completely theoretical. Will try to get such an environment set up sometime soon but it is literally no one’s day job, so if it happens that anyone else could help review and test these that would be amazing.


If you submit those as PRs against our repository we will review. Can’t guarantee that it will be merged, but at least a review will happen.


Awesome, thanks. Will try to get either a local test or some other kindly volunteer to actually see if they work first and remove the :warning:.


I haven’t had time to work on this (or find anyone who can…). If anyone reading this would like to help, that’d be awesome.

Once Managing group membership via authentication - #14 by mattdm is finished, we will certainly be looking at getting it working with the OAuth2 plugin :slight_smile:


I deployed the changes linked above and they didn’t seem to break discourse. Is their documentation on how to run your tests so that I can verify the changes didn’t break anything?

1 Like

Nice! Breaking things aside, do they work?

Long story short, I don’t know unless I use a mock system on the Fedora Accounts System (FAS) – or some other OIDC system – to try it but I would also be interested in learning how to use the smoke test from discourse that seems to run on a headless chrome browser but I’m struggling to find anything on that.

Does someone from Discourse know where I might be able to find how to run a smoke test?

Could someone from Fedora give a mock FAS system to test against?

1 Like

Hmmm. The Fedora Account System is … kind of big. (But (as of major upgrade this year) it’s FreeIPA under the hood, so theoretically anyone could create something like it.)

Maybe we could connect your test Discourse to the actual Fedora Account System?

Hey folks! I can totally add you to our staging Oauth2 instance, would that help?

1 Like