Groepslidmaatschap beheren via authenticatie

angus · 8 november 2021 om 06:10

Note that I’ve made an updated draft PR with a new approach (incorporating changes requested by @david on my last attempt). As mentioned in the comments to the PR, I’m looking to finish it off sometime this week.

github.com/discourse/discourse

Group membership via google hd authentication

main ← angusmcleod:group_membership_via_authentication

merged 12:30PM - 09 Dec 21 UTC

angusmcleod

+926 -16

Update on #12446. @davidtaylorhq A draft for an update on the associated grou…p membership work. It's been rebased, brought in line with the latest changes and updated in the ways explained below. Let me know if you're onboard with the approach so far. I'll finish it off next weekend. ### Authentication and group retrieval I've removed the secondary auth stuff, added a google-hd-specific boolean setting, and moved the group retrieval into a new google oauth2 omniauth strategy. I've made a new folder and added a spec for the strategy (something new in the codebase) as I thought it deserved a spec (which is also included). If we add in secondary auth to this strategy that too will need a spec. Some of the existing discourse omniauth strategies, e.g. Discord, may benefit from being seperated out and tested too. ### Group Provision and UI As suggested, I've added a ``provides_groups?`` to the ``Auth::Authenticator``. Using this approach led to a new groups guardian method to use at the various group CRUD points. Speaking of which, I've added in support for group_associated_group creation in group creation (i.e. ``/g/custom/new``). Supporting it in both ``new`` and ``manage`` (update) also led to adding a new site attribute ``can_associate_groups``. I attempted to make this more group-route specific, however this leads to various clumsy workarounds to determine whether an admin can associate groups in ``/g/custom/new``. The site attribute approach proved the simplest and most performant (i.e. fewer ajax calls). ### Data model I've made one change to the data model so far, namely to use ``after_commit`` hooks rather than ``after_create``/``after_destroy`` as using those hooks leads to duplicate record creation in ``Admin::GroupsController`` ``create``. I've yet to deal with the edge case you pointed out, i.e. multiple UserAssociatedGroups which link to the same group.

mattdm · 8 november 2021 om 14:57

Just so I’m not getting myself excited for no reason — this says “google”… will it also work with non-google oauth2 sso?

angus · 8 november 2021 om 15:01

It’s a generic system, but the first supported use case will be groups in a google workspace. Once the system is in place adding support for additional providers will not be too difficult.

angus · 22 november 2021 om 06:06

Note that this PR was moved from draft to published over the weeknd (i.e. it’s ready for review again).

github.com/discourse/discourse

Group membership via google hd authentication

main ← angusmcleod:group_membership_via_authentication

merged 12:30PM - 09 Dec 21 UTC

angusmcleod

+926 -16

Update on #12446. @davidtaylorhq A draft for an update on the associated grou…p membership work. It's been rebased, brought in line with the latest changes and updated in the ways explained below. Let me know if you're onboard with the approach so far. I'll finish it off next weekend. ### Authentication and group retrieval I've removed the secondary auth stuff, added a google-hd-specific boolean setting, and moved the group retrieval into a new google oauth2 omniauth strategy. I've made a new folder and added a spec for the strategy (something new in the codebase) as I thought it deserved a spec (which is also included). If we add in secondary auth to this strategy that too will need a spec. Some of the existing discourse omniauth strategies, e.g. Discord, may benefit from being seperated out and tested too. ### Group Provision and UI As suggested, I've added a ``provides_groups?`` to the ``Auth::Authenticator``. Using this approach led to a new groups guardian method to use at the various group CRUD points. Speaking of which, I've added in support for group_associated_group creation in group creation (i.e. ``/g/custom/new``). Supporting it in both ``new`` and ``manage`` (update) also led to adding a new site attribute ``can_associate_groups``. I attempted to make this more group-route specific, however this leads to various clumsy workarounds to determine whether an admin can associate groups in ``/g/custom/new``. The site attribute approach proved the simplest and most performant (i.e. fewer ajax calls). ### Data model I've made one change to the data model so far, namely to use ``after_commit`` hooks rather than ``after_create``/``after_destroy`` as using those hooks leads to duplicate record creation in ``Admin::GroupsController`` ``create``. I've yet to deal with the edge case you pointed out, i.e. multiple UserAssociatedGroups which link to the same group.

david · 9 december 2021 om 12:32

I just merged this PR - huge thanks for all your work here @angus! Excited to see how this gets used and extended going forward!

I’ve labelled the site setting “Experimental” for now, to give us some time to test it out and make sure everything is working smoothly. Once we’re confident, and we’ve added support in a few more authentication providers, I’ll be sure to make a #feature:announcements topic for the feature.

angus · 9 december 2021 om 13:44

Awesome!

Thank you David. It wouldn’t have happened without your support. Happy to help with adding additional providers.

mattdm · 9 december 2021 om 14:18

YES! Thank you everyone. We’re planning to use this extensively in Fedora once it works with oauth2.

jimkleiber · 10 maart 2022 om 23:57

I’m also excited for this to be available for non-Google oauth2/openID logins…any update on if/when that option might be available?

david · 11 maart 2022 om 11:49

We don’t have a specific timeline, but it’s certainly pr-welcome if anyone would like to submit a patch

agungor · 19 mei 2022 om 15:11

Looking forward to this as well! The use case for us is to pull group membership from Keycloak on authentication.

irregular · 11 augustus 2024 om 22:25

I am currently self-hosting Discourse and using Authentik as my identity provider for authentication. What I would like to achieve is to automatically synchronize users’ groups from Authentik with specific groups in Discourse upon login.

But… I want to ensure that local users who sign up through Discourse’s local registration process do not get assigned to these specific groups and instead follow the normal trust level progression.

bsoares · 10 september 2025 om 16:42

Hi!

We have migrated our auth from Atlassian Crowd (now no longer supported in Discourse) to OpenID Connect (via Keycloak) and wanted to use the Crowd group mapping code that we contributed some years ago in the discourse-openid-connect plugin.

We have working code changes that allow configuration of maps between OpenID Connect groups and Discourse groups and have put it in a PR FEATURE: Openid connect group maps by benzoid · Pull Request #34763 · discourse/discourse · GitHub .

Hope this might be considered to be merged in and would be willing to add to docs or tests (if I can be pointed at a guide for the tests – I’m not a native ruby programmer (yet)!).

Ben

Topic		Antwoorden	Weergaven
Memberpress: how to add users to groups upon Sign up WordPress	40	9412	8 juni 2024
Manage group membership in Discourse with WP Discourse SSO Administrators groups , wordpress , payments , how-to	77	17330	7 mei 2023
Allow moderators to add a member to a group? Feature	49	11099	28 december 2017
Improved Group Members Management Feature rfc , spec	31	11171	7 januari 2016
Groups API - manually syncing group membership? Dev rest-api	8	1707	13 december 2022

Groepslidmaatschap beheren via authenticatie

Gerelateerde topics