OAuth2 + email login without sign up form

I am building a community portal where I will use OAuth2 to link the provider and Discourse. I want to allow email login only if the email is invited to the community (so there should be no registration button), but I want to allow all OAuth2 logins.

I cannot seem to work this out with the OAuth2 / Login settings. Is it possible? Essentially, I want to override the registration settings for OAuth2.

I think you just need to turn on invite only. Have you done that and it’s not doing what you need?

So, just enable them?

What have you done and what is not what you expect?

2 Likes

Fair question. This is the first thing I tried. Here’s what happens (this is post oauth flow):

Next stop was to uncheck “enable new registrations”:

I can’t post the image (new user here), but it says “New account registrations are not allowed at this time.”

I’m not sure what other options exist that would solve the issue. I’ve tried a plethora of combinations (I can’t list everything here), and I haven’t found an outcome that works yet.

I think that my intent was not captured. I have OAuth2 login flow working normally, but I want to keep it enable while also disabling new registrations. OAuth2 and email registration settings seem tied together, so I can’t “just enable” OAuth2 while leaving email registration disabled.

What do you want to happen if someone who hasn’t been invited tries to log in?

Oh! Are you saying that this is what someone sees if they try to respond to an invite link?

You want to accept only people who are invited. You want those people to be forced to log in with Clove. Right? That appears to be what happened in your example.

I’d think that invite only plus disabling all login types except for clove would do what you’re looking for. People who don’t have Discourse accounts would see the “invite only” dialog you display. People who have been invited should be able to log in via the Clove-oauth.

1 Like

Additional explanation may be helpful to get across the goal:

I am setting up a semi-private community where there are 3 types of users: staff members (email login), application users (SSO provided via OAuth2), special guests (email, not app users). I want to require invites for special guests (allowing them to login via email), but I want to treat OAuth2 users as “trusted” and they don’t require an invite. The reason for this is that having the account needed to perform the OAuth2 successfully means that you’re trusted.

I can get email-based logins with invites setup properly, but that messes up the OAuth2 logins because they also require an invite. I don’t want them to need or see an invite—they have trust by virtue of having the SSO account.

Does this help explain the problem better?

That’s the bit that I was missing!

I think, but I’m not sure, that external auth skip create confirm might be what you’re looking for. The description mentions only SSO, but I think it now works for oauth as well. I helped someone else set up a site that skips the create dialog for their oauth2 config and I think this was the trick.

I will try that with the various other options. Here are the results:

Invite only + external skip:

invite only, external skip, disable email login:

It looks like these ones won’t work.

Ah. Yeah. Darn. My next guess is that you’d need to fork the oauth2 plugin and have it override the invite-only setting.

Thanks @pfaffman, that seems to be what I’ve come to accept. I don’t think it’s possible for hosted Discourse, right? If not, I may need to figure out something else for it.

1 Like