OAuth2 Basic - Legacy replies

Hi @zuzust ,

Did you find the way to achieve that?

Hi @trobiyo, it wasn’t an easy one, too much core logic involved and no abstraction to complete the creation with a single call. auto_create_account: true did nothing, maybe it was a deprecated option. But I wrote some references to the code involved in my plugin: https://github.com/adab1ts/discourse-oauth2-participa/blob/master/plugin.rb#L65. Hope it helps. Let me know if you develop that feature.

Did a plugin ever get made for this?

…Yes and it’s this?

I don’t understand what you’re asking.

Is there a plugin I can install to have discord login to my site

Yes - Install this plugin. Configure the plugin with the discord configuration I provided. You can now login using discord over oauth2.

Is everything just copy and paste or do I need to add my own stuff?

FYI I just released a plugin for logging in via Discord. This will require less configuration to get up and running than using the Basic Oauth2 plugin.

Hi guys,

I have an issue connecting to a custom oauth provider. This OAuth provider works with different applications (even RocketChat to name an OOS project). But I am having issues configuring Discourse… I figured the more educated users could have a look at my config.

The first steps of the OAuth-dance work just fine - I correctly put in the scopes in my /authorize URL (as described by @awole20 in his post OAuth2 Basic Support) and I am presented our oauth provider’s HTML page to authenticate. After entering authentication data the callback url (https://answers.intranetdomain.net/auth/oauth2_basic/callback <-- is it okay, to have https here even though the Github doc says http?) is called but after 30 seconds this runs into a 502 served by nginx in Discourse’s docker container.

My oauth2 config is (I removed the BASE_URL for the screenshot, otherwise it would not have fit):

image636×796 19.6 KB

The oauth provider requires the token to be served in the auth header, therefore I exlude it from user json url (but I already tried with ?access_token=:token).

I checked the nginx logs from within the docker container - but they don’t tell (me) anything:

2018/01/12 10:26:38 [error] 73#73: *1483 upstream prematurely closed connection while reading response header from upstream, client: 10.159.156.114, server: _, request: "GET /auth/oauth2_basic/callback?code=....etc.etc...", host: "https://DISCOURSE_HOST.net", referrer: "https://OAUTH_HOST.net"

Unfortunately also the Discourse production.log doesn’t explain much - following is printed to Discourse production.log in the moment I hit “authorize” button in the oauth provider’s login form:

Started GET "/auth/oauth2_basic" for 127.0.0.1 at 2018-01-12 10:26:05 +0000
(oauth2_basic) Setup endpoint detected, running now.
(oauth2_basic) Request phase initiated.
Started GET "/auth/oauth2_basic/callback?code=4613d133-56b6-.....etc.etc...." for 127.0.0.1 at 2018-01-12 10:26:08 +0000
(oauth2_basic) Setup endpoint detected, running now.
(oauth2_basic) Callback phase initiated.

It stops there and doesn’t continue… I tried many, many different form inputs, always the same outputs - except ofc when I don’t provide scopes --> then the oauth provider rejects the request.

Is the information provided enough for the educated user to give me advice?

Would this be better posted in the Support Category?

Can you post related discourse error log. You can see it in URL http://discourse.example.com/logs

Hey @vinothkannans, thank you for your reply. Unfortunately there are no logs in http://MY_DOMAIN.com/logs. :-/ Even though I marked “Include rich debugging information in your logs” in the plugin’s settings, I find no additional log info.

My instance is running behind a proxy. I configured Discourse correctly to cope with that - from inside the running docker container can curl websites in the internet. But curl’ing the /access_token endpoint from within the docker container fails whereas it succeeds from the VM’s shell. Could this be part of the issue? The oauth provider is only reachable within my company’s intranet, so should I add a “no_proxy” env to be picked up by the auth module?

Update 01/13/2018: I want to add something: the SMTP server is also sitting in the intranet and Discourse has no problems reaching this resource… I also read the logs of the oauth server: the /access_token endpoint didn’t get any request from discourse at all.

Update 01/14/2018: I also tested the Google Oauth2 plugin and it works right away, so connecting to an oauth resource in the internet is working. How can I enable Discourse to reach an internally hosted oauth2 endpoint?

Hi all,

I want to give this a little bump.

The “progress” I made since my last post three days ago: setting no_proxy variable in the container’s app.yml allow curl to reach the internal oauth resource from within the container. My guess now is, that the auth module from Discourse is not picking up this variable… How can I pass a rails application environment variables, esp. a no-proxy variable? Also, how can I adjust Rail’s log level to get more entries in the production.log file?

Hi all,

I’ve found out what the problem is. Unfortunately it’s discourse’s oauth2 plugin’s inability to use no_proxy environment variable. I’ve found out that the responsible gem package is called Faraday (Github link), which Discourse is using with an too-old version number where it doesn’t support no_proxy variable.

Okay, here my “analysis”:

Discourse in version v1.9.0 uses:

omniauth-oauth2 (1.4.0)
      oauth2 (~> 1.0)
      omniauth (~> 1.2)

The package oauth2 (Github link tag v1.0.0) in version v1.0.0 uses:

Gem::Specification.new do |spec|
  spec.add_dependency 'faraday', ['>= 0.8', '< 0.10']

But the package faraday(Github link) got the no_proxy feature added in version 0.12. The pull request adding this feature is this one.

So, what could be done?

The project oauth2 (github link tag v1.4.0) references the appropriate version of the faraday package for the first time in version v1.4.0:

Gem::Specification.new do |spec|
  spec.add_dependency 'faraday', ['>= 0.8', '< 0.13']

Unfortunately the package omniauth-oauth2 (github link tag v1.5.0) in its latest version v1.5.0 from December 2017 only references the package oauth2 in version v1.1. instead of the needed version v1.4:

Gem::Specification.new do |gem|
  gem.add_dependency "oauth2",     "~> 1.1"

I validated that the no_proxy variable is the issue by setting up a small transparent squid as the target of http_proxy on the same machine that forwards all request to the real proxy - except requests to the oauth2-provider. These requests where not forwarded to the proxy. Aaand this works!

So, what would you guys suggest to do next?

I’d suggest working with the associated projects to get them to upgrade faraday so the feature is supported. Once they have a stable release we can update discourse to use them.

We’re using an oAuth2 provider that has additional information in the user JSON. Is there any way I could store this in a user profile field or, even better, assign badges based on this information?

If you are going to store and retrieve the fields other than id, username, email then you must develop a custom plugin I think.

Inside a plugin you could use either way.

Fair enough! Could that ‘hook in’ to the existing oAuth2 plugin? I’d rather not have to fork the entire thing just to add this one feature.

Sure you can do. Take a look at linkedIn oauth2 plugin to understand how to use existing built-in code.

I’m building OAuth2 with my own provider, I ran into a lot of issues as it required the scope to be set to profile.

I tried everything inside of the oauth2 authorize options for scope=profile, etc. Then forked the repo, added in the line:

opts[:scope] = 'profile'

And everything worked seemlessly. Thanks! This should definitely be added in as a site setting in the future.