Login to Discourse with custom Oauth2 provider


(Cassius Chen) #1

How do I login to Discourse with my own Oauth2 Provider?

I have an app as a Oauth2 provider, and other apps can use omniauth-oauth2 or my custom gem to get the info and sign up the user. Can Discourse do so? or admin provides App ID, App Secret and Provider URL then uses these to log in?

Official Single-Sign-On for Discourse (sso)
(oauth2_basic) Authentication failure!
(Daniel Marquard) #2

I also need OAuth. There’s this, the official single sign-on plugin for Discourse, but it won’t suffice for me.

I am developing a first-of-its-kind academic social network for a university and I have my eye on Discourse. I’ll need OAuth to authenticate users against Blackboard, though.

So I’m tossing in my +1 for OAuth. Hopefully it can be supported natively in Discourse. :slight_smile:

(Vikhyat Korrapati) #3

Discourse has support for custom OAuth2 authentication built in, here’s an example of how you can add a custom auth mechanism using OAuth2 via a plugin:

require 'auth/oauth2_authenticator'
require 'omniauth-oauth2'

class HummingbirdAuthenticator < ::Auth::OAuth2Authenticator

  CLIENT_ID = '...'

  def register_middleware(omniauth)
    omniauth.provider :hummingbird, CLIENT_ID, CLIENT_SECRET

class OmniAuth::Strategies::Hummingbird < OmniAuth::Strategies::OAuth2
  # Give your strategy a name.
  option :name, "hummingbird"

  # This is where you pass the options you would pass when
  # initializing your consumer from the OAuth gem.
  option :client_options, site: 'http://hummingbird.me'

  # These are called after authentication has succeeded. If
  # possible, you should try to set the UID without making
  # additional calls (if the user id is returned with the token
  # or as a URI parameter). This may not be possible with all
  # providers.
  uid { raw_info['id'].to_s }

  info do
      :name => raw_info['name'],
      :email => raw_info['email']

  extra do
      'raw_info' => raw_info

  def raw_info
    @raw_info ||= access_token.get('/oauth/me.json').parsed

auth_provider :title => 'Sign in with Hummingbird account',
    :message => 'Log in using your Hummingbird account. (Make sure your popup blocker is disabled.)',
    :frame_width => 920,
    :frame_height => 800,
    :authenticator => HummingbirdAuthenticator.new('hummingbird', trusted: true,
      auto_create_account: true)

(Daniel Marquard) #4

This is great! Is been searching and didn’t realize there was a solution for this yet. I hope to test it out soon!

(parasquid) #5

I had the same question a month ago, and it was surprisingly easy to create a plugin for login:

What took me the longest time to figure out was how to restart the webapp so it can detect the newly installed plugin.

(Paulo Oliveira) #6

Your example will work with “OAuth1a” version?

(Brian Adams) #7

Just wanted to note that the solution does not work for hosted accounts that don’t have access to modify the source at the moment, exposing the Oauth2 configuration through the UI would be a really nice thing!

(Frans Thamura) #9

can i know, how the fb login in discourse work? and which source logic?

we have our own Oauth2 server, GitHub - meruvian/yama: yama, and real online version is www.merv.id

We want to make discourse as our forum, so we want to change the login using merv.id, or may be using anyone that implement our Yama.

any idea?

(Jeff Atwood) #10

@eviltrout this request does come up a fair bit, people want to use their existing oauth as sso. Any thoughts on that?

(Sam Saffron) #11

we can add “generic oauth settings” but the trouble is that each oauth provider is quirkily a bit different.

It works now fine with plugins.

(Jeff Atwood) #12

Issue is we do not have plugins on std and biz hosting. So there would need to be a default oauth plugin.

(Robin Ward) #13

I think we could try and create a default “generic” oauth plugin. Sam is right that each one I’ve done so far is slightly different but we could take a stab at extracting those differences into settings that people could configure.

I would need some example “plain” oauth sites to test out.

(Robin Ward) #14

I took a stab at this this week and managed to come up with a Basic OAuth2 plugin that works. The caveat is you need to have a JSON endpoint on your server so that we can obtain other information about the user.

I tested it with SoundCloud as a provider, and it worked great. I’d love other people to give it a whirl and let me know feedback and I’m sure as we try it out with more providers we’ll find changes and configuration options that will be required.

(Beanieboi) #15


thanks for the OAuth2 Provider. it’s working like a charm!
i have one question, which google couldn’t answer to me.
is it possible to combine the OAuth2 Plugin with the enable_sso plugin?

right now when i click the “login with provider” button it connects to our OAuth Provider and grabs all the information and pre-fills the registration form with the user data (like on meta.discourse.com, when i login with GitHub)
how can i skip the registration and directly create the account? so that the user doesn’t have to register again?

thanks for your help!

(Jeff Atwood) #16

No, SSO is mutually exclusive and disables all other forms of auth.

(Taylor Fayle) #17

@DanielMarquard Were you successful in getting SSO via Blackboard. I’m thinking Discourse could be a great alternative to BB discussions.

(Daniel Marquard) #18

I ended up not getting a contract for this project, so I didn’t pursue it further, but I think it could absolutely be done. Have you tried out the Discourse oAuth 2 plugin?

(Leo Giovanetti) #19

Is this still the case? I’ve been trying to close the same gap as @beanieboi described for so long to improve the experience and have a seamless experience for my customers but seems like there is no way around it. Any other suggestion to accomplish this?

Thanks in advance!

(Jeff Atwood) #20

That is the case, that is the entire purpose of SSO – seamless magic login. Otherwise you want the oAuth 2 menu of providers.

(Leo Giovanetti) #21

Here is my problem: SSO vs Oauth2 difference?

Seems like I’m confusing things then, or maybe the use case I want to cover isn’t possible.