Oauth2 plugin sso, how to switch off email verification


(shahid) #1

Hi guys,
For about 4 weeks or longer I have been working on SSO between Auth0 and discourse, on and off. I have gone for different solutions and had to change my approach a few times. I am now at a point where I need further advice.

1- I started by using the SSO approach mentioned in this article:

Recently it has come to light that the redirect approach mentioned in this article (redirecting from auth0 rule to discourse via the SSO login url) results in an incomplete login on Auth0 end, hence a customer login is not registered, which impacts the SSO cookie etc on Auth0 side. So we have to move away from this approach.

2- I have now deployed the 0auth2 plugin and am using the approach specified below:

The issue I have now is the “requirement to verify email” before discourse creates the user record and logs the user in. Is there no way to turn this feature off via the dashboard config?
What is the best approach to work around this if the feature cant be turned off? I dont want the user to have to verify the email in discourse.

I have found a few articles but the seem overly complicated.

Regards
shahid


(Blake Erickson) #2

There is a setting called “oauth2 email verified” that you can check. Here is the description for the setting:

Check this if the OAuth2 site has verified the email


(shahid) #3

hi blake,

thanks for that. I did actually switch that on, but still get the message on the login page about email being unverified?


(shahid) #4


(Blake Erickson) #5

What do you have set in the “oauth2 json email path” box?

Maybe that isn’t set correctly


(Stephen) #6

Does that assume the upstream Oauth2 IdP has verified email addresses?


(shahid) #7


(shahid) #8

yes thats the case i believe.


(Blake Erickson) #9

Okay can you look in your logs and see if you see anything? Also could you look at one of the new users and see if they actually have an email address?


(shahid) #10

is the user record in discourse only created after the verification? if i go in as admin, should i see the record?


(Blake Erickson) #11

They should be in there before verification. You may need to click on the new tab and/or sort by created date /admin/users/list/new?order=created


(shahid) #12

interesting… as the users are not there


(Blake Erickson) #13

hmm okay. See what you can find in /logs. I’m not really sure what is going on. I’ll have to login into my auth0 account and see if I can get it working again and see if I run into a similar issue.


(shahid) #14

thanks, will check the logs and update.


(shahid) #15

Hi
taking a look at the logs below, does it seem as if the json call to the authentication provider for user info is not returning anything?

(oauth2_basic) Callback phase initiated.

Processing by Users::OmniauthCallbacksController#complete as HTML

Parameters: {"code"=>"P-xxxxxxxxx-4", "state"=>"b65xxxxxxxxxaa

5769cxxxxxxx9", "provider"=>"oauth2_basic"}

OAuth2 Debugging: after_authenticate response:

creds: {"token"=>"wPxxxxxxxxxxxxwq7", "expires_at"=>1526490618, ""

expires"=>true}

info: {"id"=>nil, "name"=>nil}

extra: {}

OAuth2 Debugging: user_json_url: GET https://xxxxxxxxx/userinfo

OAuth2 Debugging: user_json: {}

Rendering users/omniauth_callbacks/complete.html.erb within layouts/no_ember

Rendered users/omniauth_callbacks/complete.html.erb within layouts/no_ember (00

.5ms)

Rendered layouts/_head.html.erb (0.2ms)

Rendered common/_special_font_face.html.erb (0.2ms)

Rendered common/_discourse_stylesheet.html.erb (0.1ms)

Rendered application/_header.html.erb (0.1ms)

Completed 200 OK in 201ms (Views: 2.3ms | ActiveRecord: 11.1ms)

Started GET "/discussion/srv/status" for 127.0.0.1 at 2018-05-15 17:10:23 +0000

(Blake Erickson) #16

Yes, it doesn’t look like it is returning anything since user_json is empty


(Blake Erickson) #17

Okay I figured out a couple of the issues and one of them may require a code fix. I’ll post my findings tomorrow.


(shahid) #18

hi blake,

so that i dont misunderstand, are you saying this will not work until a fix is made on your side?

regards
shahid


(shahid) #19

strangely, when the auth0 lock widget pops up through oauth2 login, when i enter the username/password a fresh, i get valid json back. But if i click on the username that it already remembers (so not re-entering username/password) it gives me blank json.


(shahid) #20

hi blake, i have this working now, just need to figure out the silent auth bit (when auth lock widget comes up remembering previously used login), which i think is calling the authentication provider without the necessary scopes for the end point…

I have another issue though. The userId that is coming back from the userInfo json endpoint is a url namespace e.g. https://domain.user.id.
In the oauth2 plugin config i am specifying this domain as the userId field, but i think instead of taking that field from the json it seems to be trying to find “.id” at the “https://domain” --> “user” --> “id” node.

How do i get around this issue?

regards