I’ve inherited hosting responsibility for our forum and it appears to have been previously configured with Discourse Connect. I don’t understand this configuration and reading what docs I could find has not enlightened me yet.
I’m unclear if it’s just vestigial configuration (if so I’d like to clean it up) or if somehow the forum is both a client and a server of DiscourseConnect’s authentication? Until I understand it better I’m to spooked to change anything because I don’t want to loose access. The post about DiscourseConnect includes this titbit about transitioning from single sign on.
If I’m reading this right then when I disable DiscourseConnect I will be causing every user to have to reset their password?
I’m going to share as much of my configuration as I feel safe sharing to try and provide context. I think… that maybe DiscourseConnect is somehow setup as both the provider and the client of the authentication flow and that’s confusing to me.
If anyone is willing/able to help me get to the bottom of this I’d really appreciate the help. I’m hesitant to dump a bunch of logs in a support post but can share more information (including logs) upon request.
My goal is
to gain more understanding of how our authentication is currently working
make it easier for users to change emails and other account configuration as currently I have to direct them to just create a new account.
open a path to switching the source of truth for our SSO
If you’d like help from someone who can log in to your site and help you figure out what’s going on you can contact me or ask in Marketplace. Mt contract info is in my profile.
But if you are using Discourse connect then you’ll see that when you log in users are directed to the other site to log on. If that’s the case and you want to log in directly to discourse then, yes, users will have to set a password.
That’s generous of you @pfaffman but I’ve no budget unfortunately.
After making the post I found in the suggested articles this Disable DiscourseConnect post from 2019. Which is helpful with it’s clear process but I’m still lacking some base understanding of how it is functioning now.
I’m fairly confident that the login is not being redirected. The login page really appears to be just the vanilla discourse login flow with lots of discourse specific assets, data-exporters, scripts etc and even a console link to the specific commit of the forum we’re running.
This makes me quite sure that Discourse is acting as its own source of truth for authentication.
What I’m not quite understanding is how or why the DiscourseConnect config is set to override email, username etc. from the external site but also the /session/sso_provider endpoint is enabled?.. isn’t that like having Discourse simultaneously abdicating responsibility for sign-on while also acting as a source of truth? Or am I missing a core piece of understanding / documentation in how DiscourseConnect’s SSO works?
So because this isn’t clicked all that other config is just kruft / noise? Amazing! Thank you so much for engaging on this.
So my new expectation is that unchecking/resetting everything except Login Required will have no effect. It’ll take me a few days to sufficiently build up the guts to try it but I’ll update the thread when I do with the results.
Discourse v3.5.0.beta3-dev — 
