Is "partial" SSO possible?

rodypl · April 7, 2021, 8:25am

I’m not a developer, so I don’t even know what to search to find the answer to my question. I’m currently trialing Discourse right now and how users log in have been on my mind a lot.

At the start of my trial I was convinced SSO was the way I would go once my trial was over, but now I’m not so sure. It seems like I’d lose some nice Discourse features if I enabled SSO (like the invite features) and I don’t know if there advantage in my case is worth it.

Is it possible to have my forum use both the built in Discourse accounts AND my site’s account? Similar to how you can set up “or Log in with Facebook/Google/Apple” options?

You know how when a user tries to log in/create an account they’re presented with the email/password fields, but on the right of that it gives them options to log in with Facebook, Google, etc? Could I simply have my site’s account be one of these options on the right?

So if a user just wants to use my main site’s login and not create a new account specifically for the forum they could, but they wouldn’t be required for it.

Is this possible? And is this advisable? As in, are there any reasons why I shouldn’t go this route? Thanks!

david · April 7, 2021, 9:10am

It depends on what you mean by “SSO”:

If you’re talking about DiscourseConnect - Official Single-Sign-On for Discourse (sso), then you cannot use it alongside other login options.
If you’re talking about OAuth2, OpenID Connect, or any of our other authentication plugins, then yes they can be used alongside each other, and alongside email/password login.

Good news on that front - we’ve recently added invite support for DiscourseConnect

github.com/discourse/discourse

FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419)

committed 12:20AM - 19 Mar 21 UTC

martin-brennan

+339 -144

This PR allows invitations to be used when the DiscourseConnect SSO is enabled …for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353

And for other login methods:

These changes are live in the latest version of Discourse

pfaffman · April 7, 2021, 10:35am

You can do that by implementing oauth2 on your server so that it could function like Google and github and friends. (Or having someone do that, since you’re not a developer.)

rodypl · April 7, 2021, 1:18pm

Thanks! Could you link me to documentation about that please?

david · April 7, 2021, 1:24pm

Those two plugins can be found at:

Himanshu_Singh · May 21, 2021, 6:37pm

I am excited to see the compatibility feature between SSO and invites but it does not seem to work on my end.

My main site is on WordPress and I am using the WP Discourse plugin to integrate the two applications. I also have a registration form that conducts email authentication on WordPress and I have written custom code to prevent Discourse from sending duplicate verification emails to users on registration. I have enabled must_approve_users in discourse to prevent anyone for accessing the community without approval.

I followed the following steps and user was not approved in the end. Just like before.

Invite user with the email address
User opens the email invite and click on the link
User is directed to the discourse logged out page with a welcome message and CTA to continue
Clicking on the CTA takes the user to the login page on WordPress
As the user is not registered on WordPress, I had to create a new account for the user - which I think makes sense since WordPress does not know that Discourse invited this user.
After registration, I receive a confirmation email from WordPress. I click on that email and I am directed to the login page in WordPress.
After logging in WordPress, I try to the community but I cannot.
I go to the admin account and check the status of the user and as I suspected, it is Needs approval. This is exactly the same situation I had before sending an invite.

What am I missing here? Is there some other flow I need to follow? Can I only invite users that are already registered on WordPress? Looking for some guidance here. Thank you.

My Discourse Version: 2.8.0.beta1