I think I’ll start by erasing our current Droplet and set it up from scratch again since this docker was set up a few years back. I’ll report back when I have done that and tested it.
Sounds like a good plan. For most communities we recommend sticking to the default tests-passed branch, because it gives you the latest and greatest Discourse features and bug fixes. There have been a lot of changes to authentication since the last stable release, so you might find things start working by themselves.
@david, I’ve taken the time to take another go at it today. I am now using a fresh Discourse install (latest on stable-passed, as you suggested).
I’ve set up Oauth2 using the plugin, just like before with the following settings:
oauth2 client id: MY-CLIENT-ID
oauth2 client secret: MY-CLIENT-SECRET
oauth2 authorize url: https://MY-NEON-ID.z2systems.com/np/oauth/auth
oauth2 token url: https://www.z2systems.com/np/oauth/token
If I use the manually formatted URL, I get this (which is new):
Authorization timed out, or you have switched browsers. Please try again.
And the usual error in the logs:
(oauth2_basic) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
On the other hand, if I use the OAuth2 button in the Discourse login window, I get:
Oops
The software powering this discussion forum encountered an unexpected problem. We apologize for the inconvenience.
Detailed information about the error was logged, and an automatic notification generated. We'll take a look at it.
I also get the following errors logged in /logs:
ArgumentError (Invalid URI: ) /var/www/discourse/vendor/bundle/ruby/2.6.0/gems/excon-0.71.0/lib/excon.rb:126:in `new'
and
Failed to handle exception in exception app middleware : Invalid URI:
@david I tried your earlier suggestion regarding setting oauth2_user_json_url
and disabling oauth2_fetch_user_details
, and I got a bunch of (new) errors after trying it:
ActiveRecord::NotNullViolation (PG::NotNullViolation: ERROR: null value in column “provider_uid” violates not-null constraint
DETAIL: Failing row contains (1, oauth2_basic, null, null, 2019-12-19 01:00:49.076659, {}, {“token”: “9607”, “expires”: false}, {}, 2019-12-19 01:00:49.077107, 2019-12-19 01:00:49.077107).
)
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/rack-mini-profiler-1.1.4/lib/patches/db/pg.rb:69:in `async_exec_params’
Failed to handle exception in exception app middleware : PG::NotNullViolation: ERROR: null value in column “provider_uid” violates not-null constraint
DETAIL: Failing row contains (1, oauth2_basic, null, null, 2019-12-19 01:00:49.076659, {}, {“token”: “9607”, “expires”: false}, {}, 2019-12-19 01:00:49.077107, 2019-12-19 01:00:49.077107).
And of course the usual:
(oauth2_basic) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
However I noticed in this last one (CSRF Detected) that in the env tab, it says:
hostname forum-app
process_id 762
application_version db7d00a8dce2cc1f7b9d86192cde1f55dd57408b
HTTP_HOST forum.efao.ca
Is it normal for the hostname to not match the HTTP_HOST name? Could that be why I get CSRF error?
Hey Denis,
any luck?
I got the same error:
ActiveRecord::NotNullViolation (PG::NotNullViolation: ERROR: null value in column “provider_uid” violates not-null constraint
How did you fix it?
Thanks,
Beam
Denis and I worked out that NeonCRM aren’t really sticking to the oauth2 spec… they are sending the user_id inside the access_token variable, and it cannot be used as an actual access token.
So, you need to disable oauth2_fetch_user_details, and set oauth2_callback_user_id_path to token
(not access_token, because the oauth2 ruby library renames it for internal use)
With that, it should be functional, but there is no way to fetch the user email/name
Hey Denis,
I’m using mattermost so it’s behaving differently.
However, your info made me look more at the settings and I have it working, thanks!!
Here are my settings for mattermost as an oauth2 provider to discourse:
Settings in text for search engines:
oauth2 client id: <client id from mattermost oauth2 provider setup>
oauth2 client secret: <client secret from mattermost oauth2 provider setup>
oauth2 authorize url:https://chat.animalrebellion.org/oauth/authorize
oauth2 token url:https://chat.animalrebellion.org/oauth/access_token
oauth2 token url method: POST
oauth2 callback user id path:
oauth2 callback user info paths
oauth2 fetch user details: CHECKED
oauth2 user json url:https://chat.animalrebellion.org/api/v4/users/me
oauth2 user json url method: GET
oauth2 json user id path: id
oauth2 json username path: username
oauth2 json name path: username
oauth2 json email path: email
oauth2 json email verified path: email_verified
oauth2 json avatar path:
oauth2 email verified: CHECKED
On the mattermost side, the callback url is set as:
https://base.animalrebellion.org/auth/oauth2_basic/callback
Still would like to see how to join: first_name and last_name into the “jason name path” as full_name, but can live with just using the “username” or “first_name” property.
HTH
Cheers!
Beam
Links to resources:
Link to plugin: GitHub - discourse/discourse-oauth2-basic: A basic OAuth2 plugin for use with Discourse
Link to how to install discourse plugin: Install plugins on a self-hosted site
Happy you got it working @Beam!