I am also receiving the same error as @Mark_Zegarelli . Has that issue been resolved?
Has anyone else received a
Sorry, there was an error authorizing your account. Perhaps you did not approve authorization?
error?
Could it be from the dependency updates?
Yes, we have the same problem for a couple of weeks, worked absolutely fine before. It might be the result of some dependency updates indeed (or some other Discourse internal changes, as no changes were made from the OAuth provider side in this timeframe), but for now we don’t have any solution from Discourse colleagues.
@MikhailVink Thank you for your swift reply.
@eviltrout I assume this is being resolved? Or still searching for the problem?
Thanks so much!
We had this working fine through last week after the plugin was updated.
But today I’m getting the same error as before. I can troubleshoot more tomorrow.
I did get a notice that Discourse was updated on Friday, I wonder if that did it? FWIW, we have a local install that still works properly.
1 Like
I just reproduced this issue locally and can confirm that discourse-oauth2-basic plugin is broken after updating omniauth-oauth2 gem version to 1.4.0
I am now getting this error:
invalid_grant: {"error":"invalid_grant"}
Reverting the omniauth-oauth2 gem version to 1.3.1 fixes this issue. (cc @sam)
This issue is already reported here: https://github.com/intridea/omniauth-oauth2/issues/81
UPDATE: I downgraded omniauth-oauth2 gem version to 1.3.1
https://github.com/discourse/discourse/commit/4e8a2981a7766b3d5d874d8a3202b1dfce098c0f
This issue should be fixed now.
4 Likes
@Mark_Zegarelli How did you activate the new version? Just update via /admin/upgrade?
Also, has anyone encountered an error where the redirect_uri passed is incorrect? My instance is on a subdomain and https if that matters.
I have a Discourse-hosted instance, so I think the update was pushed automatically.
Hi folks, I am using https://github.com/evonove/django-oauth-toolkit as Oauth2 provider.
I’ve been working with the vagrant box in the discourse repo. There seems to be no magic combination to get the Oauth login button to appear.
I can test my django oauth provider against Django OAuth Toolkit Example and it works fine.
Any ideas?
Thanks!
I’ve successfully linked Keycloak with Discourse using this plugin - thanks! For the “oauth2 json user id path” field I had to use “sub” because Keycloak returns an access token with the OIDC standard, which indicates the user ID as the “sub” field.
Incorrect user authenticated with bad “oauth2 json user id path” field
The issue I’d just like to bring up was when I mistakenly used “id” for this field (which doesn’t exist in the token), this plugin logged me in as the wrong user, lets call him Tom. Tom was able to successfully register but any other user after that, regardless of machine or browser, would be successfully authenticated through Keycloak (I could see the correct session in KC), but this Discourse plugin still logged in a different user as Tom. As soon as I fixed the “oauth2 json user id path” field everything worked fine. I know this is a configuration error but I wanted to bring it up in case anyone else sees that or if it’s a bug.
1 Like
Hello all,
I am trying to install OAuth2 support to link Discourse to Drupal. On the Drupal side, I have installed OAuth2 login provider, which depends on OAuth2 server. The main links seem to be http://example.com/oauth2/authorize and http://example.com/oauth2/token.
On the Discourse side, I have a fresh Docker installation on a Debian Jessie machine. It has only one account (the admin account).
For settings, I installed the OAuth2 Basic plugin, and configured it exclusively from the discourse site. My settings look like so:
I have changed no other settings. I get the following at the login screen:
If I turn off local login and change no other setting, I get:
If I add in other external auth mechanisms, I get:
If I add in other external auth mechanisms and leave local login enabled, I get:
There seem to be no other settings or iterations that matter. There’s nothing that I can see that is ‘wrong’ here except for the error message “translation missing: en.site_settings.oauth2_button_title” under the button title setting, which I think isn’t relevant.
Any thoughts on what I might be doing wrong here?
Thank you,
tarek : )
Bumping the topic. I still cannot get the “OAuth2” button to even appear. Any thoughts on what I might be doing wrong? This is on a stock docker installation with the plugin added.
tarek : )
Embarrassingly, the problem here was that I needed to do a ‘./launcher rebuild app’ to properly install the plugin. Thank you all for your help!
2 Likes
Hello all,
After much effort and some discussion with @dashohoxha, it appears as though the Drupal OAuth2 login provider requires POST, but only GET is/can be sent by OAuth2 Basic.
This is the offending line, which would make it a problem of OAuth2 Basic and not callback in general.
From discourse-oauth2-basic/plugin.rb:53:in 'fetch_user_details':
user_json = JSON.parse(open(user_json_url, 'Authorization' => "Bearer #{token}" ).read)
From trying to debug this on IRC, it appears that:
[12:31:56] <jmarinelli> open-uri only supports GET
[12:32:42] <jmarinelli> look into HTTParty, or Net::HTTP if you don't want to add dependencies
[12:32:55] <havenwood> You could use Net::HTTP from the stdlib but it's a bit unwieldy. I'd suggest HTTP.rb for a gem: https://github.com/httprb/http#readme
I have tried to play around with the plugin, but I cannot setup a dev environment in a way that makes sense and have no Ruby experience. Would @eviltrout consider making this change?
tarek : )
I am quite busy right now so unless a paying customer requests it I doubt I will have time to make that change any time soon. But perhaps someone in the community can step up and submit a PR 
2 Likes
Could you put a ballpark cost on it?
I’ve just setup my dev environment, so I’ll work on it. Also, I asked @dashohoxha if it’s possible for the plugin to accept GET.
tarek : )
1 Like
I’m not used to dropping costs for features. Generally we just wait for someone to sign up for a plan who wants the feature
5 Likes
OK, I finally got this working and onto the next hurdle. Here is the patch:
diff --git a/plugin.rb b/plugin.rb
index 2eca4db..d9f7ace 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -4,6 +4,7 @@
# authors: Robin Ward
require_dependency 'auth/oauth2_authenticator.rb'
+require 'http'
enabled_site_setting :oauth2_enabled
@@ -50,7 +51,7 @@ class OAuth2BasicAuthenticator < ::Auth::OAuth2Authenticator
def fetch_user_details(token)
user_json_url = SiteSetting.oauth2_user_json_url.sub(':token', token)
- user_json = JSON.parse(open(user_json_url, 'Authorization' => "Bearer #{tok
+ user_json = JSON.parse(HTTP.post(user_json_url))
result = {}
if user_json.present?
Note that I took away the authorization bearer, but that should be fine. I also don’t know how to properly address the fact I added a new Gem. Is this unacceptable in Discourse development?
Also, I’m not entirely sure how to make it an option.
Are there any obvious errors here? Or should I submit this as a PR? Are there OAuth2 providers that will accept GET but not POST?
tarek : )