We’re using Discourse at my company for internal discussion; only employees are allowed to access it. Currently I’m using OAuth2 authentication via Box with an email domain whitelist to ensure only employees can log in, and that’s working fairly well because for most (or maybe all) of our employees, our company is the reason they have a Box account, so their company email is their primary email in their Box account.
However, we recently tried to enable GitHub authentication, and that’s a different story. It doesn’t work well in combination with the email domain whitelist, because for some (or maybe most) of our employees, they have a single GitHub account that they use for all their various contexts (personal use, various organizations) — so their affiliation with our GitHub organization is just one aspect of their GitHub account, and their company email address is just one of maybe a few addresses in their email account, and frequently not the primary.
In that case, if the domain whitelist is enabled, then those employees can’t login to our site via GitHub, because the GitHub integration only retrieves and uses their primary email address from their GitHub account, and that frequently conflicts with the whitelist.
It’d be great to possibly enhance the GitHub integration to support this case a little better.
I can think of two ways to approach this:
- Retrieve all the verified email addresses from the user’s GitHub account and display them all in a dropdown in the registration form and allow the user to choose which one they want associated with their Discourse account
- Allow me to specify the ID of our GitHub organization in settings, and have the integration verify that the user is indeed a member of that organization, and if so, cool, but if not, then block them. In this case I’d just disable the email domain whitelist.
But of course I’m sure there are other possible approaches.