First and foremost I love Discourse: thanks for all of your hard work on this project.
I’m using Discourse as a private course forum. I create accounts for active students using a script, set course staff as moderators, and disable accounts if students drop the class. All of that works swimmingly.
The one hitch is integrating with Google’s authentication. The accounts I create for students use their university email address, for obvious reasons, and we do have Google authentication enabled for our domain. (Although students have to opt-in.)
The problem is that last time I checked the default Discourse Google OAuth flow doesn’t handle multiple accounts very well. A very typical case is that a student will already be signed in to Google using their non-university account. When they try to log in to the forum, rather than providing an option to switch accounts, the Discourse forum login just fails and says that they are not authorized. It also doesn’t say which account wasn’t authorized, or provide a switch accounts dialog, furthering the confusion. Then I get dozens of repetitive emails about this, which is the entire problem that the forum is supposed to be helping me solve . The workaround, which seems clunky, is to have students visit another Google page (like Google.com) and go through the add account dialog there.
Originally I thought that this was just a Google problem, but recently I built something using Meteor. It’s Google authentication plugin allows you to force the use of a specific Google Apps domain, meaning that even if I am logged in to other Google accounts, or haven’t configured any, it forces me through my university provider. Which is exactly what I want. The flow isn’t perfect: first I get sent to my university login page (good), but then I get sent back to a dialog where I can choose which Google account to use… except that there is only one option. So that’s fine, but unnecessary. Overall it’s an improvement though, which leads me to believe that Discourse can do a bit better here.
Steps to reproduce this problem:
- Visit my closed forum in a incognito window.
- Try to log in, but use the wrong Google account.
- “Sorry, access to this forum is by invitation only.”
- Click the “Login with Google” button, no add account dialog, just the same message again.
- Now I’m stuck.
Anyway, it seems like there are a few options here, in order from best to worst:
- Have the Google OAuth flow return the user to a switch or add accounts dialog when a login attempt fails. This is probably the most general-purpose fix.
- Implement Google’s domain restriction so that I have to log in using my domain-specific provider
- Add some explanation to the login failed page telling users how to fix the problem. (I can do this, but it’s a hack.)
Happy to help with this if someone can point me in the right direction, and to test any attempted fixes.