I would like to use this feature. We’re on the Business hosted plan, so SAML is not available to us, so we’re using Oauth2 / OpenID Connect. I believe I have everything configured correctly (sso overrides groups is on, and oauth2 scope is set to openid profile email https://id.fedoraproject.org/scope/groups).
I am a little confused about how Discourse uses the word SSO and what options appear where. However, we’re using sso overrides username and that works. Should I expect this to as well?
The sso overrides groups setting does not work with OAuth2. It only works with Discourse’s implementation of SSO: DiscourseConnect - Official Single-Sign-On for Discourse (sso). We are in the process of renaming Discourse SSO to DiscourseConnect to avoid confusion around this issue.
Ouch, that’s unfortunate. The rename will definitely help reduce confusion, but doesn’t help my needs. Is this limitation intentional or it just not implemented?
The setting uses a separate code path from what’s used with OAuth2 logins. Syncing groups via OAuth2 hasn’t been implemented. Being able to sync Discourse groups with groups from an external site has a lot of use cases with Discourse, so hopefully it’s something that can be implemented in the future. For now, your only option is to manage group membership via the API.
So, we have some very early potential patches for implementing groups with OAuth2:
However since we’re using the hosted plan we don’t have a quick staging environment in which to test them, so they’re completely theoretical. Will try to get such an environment set up sometime soon but it is literally no one’s day job, so if it happens that anyone else could help review and test these that would be amazing.
Ho implementato le modifiche collegate sopra e non sembrano aver rotto Discourse. C’è una documentazione su come eseguire i test in modo da poter verificare che le modifiche non abbiano rotto nulla?
In breve, non lo so finché non provo a usare un sistema mock sul Fedora Accounts System (FAS) — o su qualche altro sistema OIDC — per testarlo. Sarei comunque interessato a imparare come eseguire il smoke test di Discourse, che sembra girare su un browser Chrome headless, ma sto faticando a trovare informazioni al riguardo.
C’è qualcuno di Discourse che sa dove potrei trovare le istruzioni per eseguire uno smoke test?
Potrebbe qualcuno di Fedora fornirmi un sistema FAS mock da usare per i test?
Hmm. Il sistema degli account Fedora è… piuttosto grande. (Ma (dalla grande aggiornamento di quest’anno) utilizza FreeIPA sotto il cofano, quindi in teoria chiunque potrebbe crearne uno simile.)
Forse potremmo collegare il tuo Discourse di test al vero sistema degli account Fedora?
However since we’re using the hosted plan we don’t have a quick staging environment in which to test them, so they’re completely theoretical. Will try to get such an environment set up sometime soon but it is literally no one’s day job, so if it happens that anyone else could help review and test these that would be amazing.
.