Integrate OAuth with an invite only flow

Hi everyone,

I’m working on a project to integrate our main product ( into our community ( and struggling a bit to find the best approach.

Our community is invite only and we want to keep it this way, but we also want to allow a user that has an specific role in our main app to be able to bypass the invite process and sign-in into our Discourse. So I can’t use SSO and the normal OAuth flow won’t work for signups.

I turned our main app into an OAuth provider and wrote the plugin to let people sign-in with their credentials from the main app and seems to work. Problem now is to figure out what to do with the signup flow. I’m looking into the API and going to try to keep both DBs in sync.

Has anyone tried something like this before? Is the API flow + OAuth the best approach?



Hi Daniel,

I think you are on the right track with API flow + OAuth. Whenever a new user with a specific role in Know Your Company is created you will use the Discourse API to also create/activate that user in The Watercooler which should allow them to use OAuth to login.


Hi @blake, thanks for the reply.

I changed course a bit and what I’m working right now is to create if they don’t exist yet using the after_authenticate hook of the third-party Authenticator I wrote. Do you think that’s a bad idea?

Also, one of my challenges now is to figure out what to do when the user changes their email on Know Your Company or Discourse the databases end-up out of sync on the email address.

1 Like

Nope, that is a good idea because then you only need to create the user if they are actually trying to use the forum rather than pre-loading all users even if they might not use it.

On the Discourse side you could create a User Event webhook to sync with Know Your Company. Which will trigger:

When a user logs in, logs out, is created, approved or updated.

It would be nice if user events were more fine grained so that it only triggered on “updated”, but I guess you can just ignore all non “updated” events on the Know Your Company side.

Thinking about this though I’m not sure what you would key off of to know which user updated their email. SSO handles this because you pass in a “user_id”. I think with OAuth you can also pass in a “user_id” (oauth2_json_user_id_path) or some custom field that you could look up in Know Your Company to sync the email.

If an email is updated on the Know Your Company side you would issue an api request to update the email. You may have to find a good way to look up the user by external_id though, maybe this is an endpoint that can be added to your authenticator plugin.


Thank you so much, this is really helpful. I’m using the Plugin store to store KYC id on Discourse’s database so I’m gonna use that. And the idea of using hooks to keep track of update is great. Again, thank you for the help.