Note that I’ve made an updated draft PR with a new approach (incorporating changes requested by @david on my last attempt). As mentioned in the comments to the PR, I’m looking to finish it off sometime this week.
3 Likes
Just so I’m not getting myself excited for no reason — this says “google”… will it also work with non-google oauth2 sso?
2 Likes
It’s a generic system, but the first supported use case will be groups in a google workspace. Once the system is in place adding support for additional providers will not be too difficult.
5 Likes
Note that this PR was moved from draft to published over the weeknd (i.e. it’s ready for review again).
5 Likes
I just merged this PR - huge thanks for all your work here @angus! Excited to see how this gets used and extended going forward! 
I’ve labelled the site setting “Experimental” for now, to give us some time to test it out and make sure everything is working smoothly. Once we’re confident, and we’ve added support in a few more authentication providers, I’ll be sure to make a #feature:announcements topic for the feature.
8 Likes
Awesome! 
Thank you David. It wouldn’t have happened without your support. Happy to help with adding additional providers.
6 Likes
YES! Thank you everyone. We’re planning to use this extensively in Fedora once it works with oauth2.
5 Likes
I’m also excited for this to be available for non-Google oauth2/openID logins…any update on if/when that option might be available?
5 Likes
We don’t have a specific timeline, but it’s certainly pr-welcome if anyone would like to submit a patch
5 Likes
Looking forward to this as well! The use case for us is to pull group membership from Keycloak on authentication.
8 Likes
I am currently self-hosting Discourse and using Authentik as my identity provider for authentication. What I would like to achieve is to automatically synchronize users’ groups from Authentik with specific groups in Discourse upon login.
But… I want to ensure that local users who sign up through Discourse’s local registration process do not get assigned to these specific groups and instead follow the normal trust level progression.
2 Likes
Hi!
We have migrated our auth from Atlassian Crowd (now no longer supported in Discourse) to OpenID Connect (via Keycloak) and wanted to use the Crowd group mapping code that we contributed some years ago in the discourse-openid-connect plugin.
We have working code changes that allow configuration of maps between OpenID Connect groups and Discourse groups and have put it in a PR FEATURE: Openid connect group maps by benzoid · Pull Request #34763 · discourse/discourse · GitHub .
Hope this might be considered to be merged in and would be willing to add to docs or tests (if I can be pointed at a guide for the tests – I’m not a native ruby programmer (yet)!).
Ben
2 Likes