OAuth2 Basic - Legacy replies

Here is another patch set that does not create a new dependency. Thank you to Tubbo, Dsimon and Fox_Mulder_CP for their help on #rubyonrails. The same questions of how best to integrate this apply.

diff --git a/plugin.rb b/plugin.rb
index 2eca4db..feed336 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -4,6 +4,9 @@
 # authors: Robin Ward
 
 require_dependency 'auth/oauth2_authenticator.rb'
+require 'net/http'
+require 'uri'
+
 
 enabled_site_setting :oauth2_enabled
 
@@ -50,7 +53,7 @@ class OAuth2BasicAuthenticator < ::Auth::OAuth2Authenticator
 
   def fetch_user_details(token)
     user_json_url = SiteSetting.oauth2_user_json_url.sub(':token', token)
-    user_json = JSON.parse(open(user_json_url, 'Authorization' => "Bearer #{tok
+    user_json = JSON.parse(Net::HTTP.post_form(URI(user_json_url), {'Authorization' => "Bearer #{token}"} ).body)


 
     result = {}
     if user_json.present?

tarek : )

We can’t just replace the GET with a POST in case some providers only support GET. I could only accept a patch like this if it was a site setting.

Yes, I think that sounds amazing. Unfortunately, my RoR skills are not such that I have any idea how to do that, so I’ll have to leave this patch here until somebody comes along who knows how to make it usable by others.

tarek : )

@eviltrout is right, this should be a setting on the configuration page of the plugin, to select whether to use a GET or POST request, and then based on this setting you either make a GET or POST request.

Also I think that you are missing the header: ‘Authorization’ => “Bearer #{token}”’. Without it you will not get authorized and will not get the data of the profile.

I’ve fixed the authorization bearer thing in my paste above.

OK. Meanwhile I have extended the Drupal module to accept both POST /oauth2/user/profile and GET /oauth2/user_profile (see the description at https://www.drupal.org/project/oauth2_loginprovider).
So, you can try again with GET, and if it works, leave the RoR plugin as it is (less trouble for eviltrout).

Thanks to @dashohoxha, the Drupal implementation is now complete and documented. Thank you @eviltrout and others for your help as well!

I notice that the OAuth2 plugin does not bring the avatar, even though providers like soundcloud above and Drupal do give it.

I also noticed that the SSO function does allow the avatar to be overridden:

Overrides user avatar with external site avatar from SSO payload. If enabled, disabling allow_uploaded_avatars is highly recommended

Is there some way to integrate this into OAuth2 Basic? Or is this a question of enabling an option elsewhere?

It looks like this is the PR by @wilhansen_li for the SSO plugin. Would it just be a question of doing the same thing in the OAuth2 Basic plugin, then?

Thank you!

Yes that is not a standard feature of our login plugins generally. If it could be done in a clean, optional way I’d accept it as a PR.

Do you have advice on the best way to proceed? What do you think of starting by just implementing the PR from SSO straight, and then trying to figure out the bugs?

I don’t think you’ll be able to just drop that in. You’ll have to see how it works and adopt something similar.

Is there anyway to customize the oauth button look? I would like to change the color and add an icon so it looks like the others (google, etc.)

sure, it has a class you can apply styles to using site customizations. You can also control the text displayed on the button.

Hello all,

I’m using the OAuth2 provider, and having a problem logging in, which I thought was initially independent and so I posted to this thread.

Other users’ logins work perfectly. However, when one of these users tries to login (and only this one), I get a “Create new account” screen even though the account already exists. If I enable local login, his login works perfectly. Predictably, if the email is kept, then a new account will not create.

Changing the user’s email address or even username does not seem to have an impact - the error still happens.

Here is the information from User.find_by_username. It’s been anonymized, but is otherwise the actual info:

[1] pry(main)> u = User.find_by_username("testuser")
=> #<User:0x0055
 id: 15,
 username: "TestUser",
 created_at: Thu, 25 May 2006 02:14:00 UTC +00:00,
 updated_at: Mon, 27 Jun 2016 19:35:50 UTC +00:00,
 name: "Test User",
 seen_notification_id: 9321,
 last_posted_at: Thu, 02 Jun 2016 17:40:11 UTC +00:00,
 email: "testuser@example.org@",
 password_hash:
  "hidden",
 salt: "hidden",
 active: true,
 username_lower: "testuser",
 auth_token: nil,
 last_seen_at: Mon, 27 Jun 2016 13:49:01 UTC +00:00,
 admin: false,
 last_emailed_at: Mon, 27 Jun 2016 19:35:38 UTC +00:00,
 trust_level: 4,
 approved: true,
 approved_by_id: nil,
 approved_at: nil,
 previous_visit_at: Thu, 09 Jun 2016 19:11:03 UTC +00:00,
 suspended_at: nil,
 suspended_till: nil,
 date_of_birth: nil,
 views: 0,
 flag_level: 0,
 ip_address: #<IPAddr: IPv4:x.x.x.x/255.255.255.255>,
 moderator: false,
 blocked: false,
 title: nil,
 uploaded_avatar_id: nil,
 locale: "",
 primary_group_id: 42,
 registration_ip_address: nil,
 trust_level_locked: true,
 staged: false,
 first_seen_at: Thu, 09 Jun 2016 19:11:03 UTC +00:00>
[2] pry(main)> 

Any thoughts as to why this (and only this) particular user might be ‘broken’?

OK, I believe I have identified the bug that led to this.

It appears that this user’s email address changed at some point, both on the main site and on discourse.

However, it appears that the OAuth2 Basic plugin is trying to match the user from the oauth2 provider to the user from discourse through some mechanism that excludes the account whose email address was changed.

As such, the plugin refuses to accept the above user.

If I had to guess, I would guess that this line is responsible:

https://github.com/discourse/discourse-oauth2-basic/blob/master/plugin.rb#L98

However, I am not sure how to access that date to try to delete it.

Furthering the discussion, I can now get the actual wrong entry, though I can’t yet manipulate it:

[33] pry(main)> ::PluginStore.get(“oauth2_basic”, “oauth2_basic_user_527”)
=> {“user_id”=>294}

However, it should be 15 as above.

I found a solution to this:

[39] pry(main)> ::PluginStore.set("oauth2_basic", "oauth2_basic_user_527", {user_id: 15 })

I have integrated the plugin with sound cloud and it’s not working

It redirects me to sound-cloud for Authentication but then it returns me to discourse’s signup page saying “Email matches this registered username”

any ideas ?
@eviltrout Can you please share your thoughts ? Thanks

I’m sorry I haven’t heard of this particular issue. I’m sure the plugin is working so I suggest checking your settings.

Thanks for this great plugin.

I have defined some custom fields in discourse user settings, and the corresponding values are provided in JSON coming from my OAuth2-Provider.
Is there a way to (pre-)populate custom fields in the Signup-Popup with data coming from OAuth (when admin specifies their path via setting i.e. “oauth2 json custom1 path”)