How to handle Discourse SSO when the authentication site allows users to change emails?

We use a Discourse SSO flow that we have implemented based on this guide: Setup DiscourseConnect - Official Single-Sign-On for Discourse (sso)

It has worked well for us. But now we want to allow users in our system to change their e-mail and this seems to lead to problems.

When I change the email of my user in our system, SSO to Discourse stops working.

Login Error

There is a problem with your account. Please contact the site’s administrator.

I guess that Discourse receives a payload with an email and a username that don’t match and doesn’t know what to do.

What is a good way to handle this?

The best idea I have come up with is to use the Discourse API to change the users email in Discourse to match that in out system before initiating SSO.

But I don’t know if this is possible. Below is my failed attempt.

Here is my request:

https://forum-stage.{domain}.com/users/{username}/preferences/email

Headers:
Content-Type: application/x-www-form-urlencoded
Accept: application/json

Body (as x-www-form-urlencoded in Postman):
email: testemail@testdomain.com
api_key: 75a...77d
api_username: system

And here is the response I receive

{
    "errors": [
        "You are not permitted to view the requested resource."
    ],
    "error_type": "invalid_access"
}

I’m experiencing this too - did you ever figure out a way around this?

This should not be the case, we primarily key on the SSO id.

You can use the sync sso endpoint to sync the emails on Discourse side if you want to do so proactively but changing emails in your system should always work.

The one exception is

Discourse thinks SSO id is 5 email is bob@jane.com

You log in with SSO id of 6 email is bob@jane.com

This is not resolvable so you will need to manually intervene. (sync sso id 6 first)