Oauth2 plugin sso, how to switch off email verification

shahidmir · May 15, 2018, 4:32pm

Hi guys,
For about 4 weeks or longer I have been working on SSO between Auth0 and discourse, on and off. I have gone for different solutions and had to change my approach a few times. I am now at a point where I need further advice.

1- I started by using the SSO approach mentioned in this article:

Recently it has come to light that the redirect approach mentioned in this article (redirecting from auth0 rule to discourse via the SSO login url) results in an incomplete login on Auth0 end, hence a customer login is not registered, which impacts the SSO cookie etc on Auth0 side. So we have to move away from this approach.

2- I have now deployed the 0auth2 plugin and am using the approach specified below:

The issue I have now is the “requirement to verify email” before discourse creates the user record and logs the user in. Is there no way to turn this feature off via the dashboard config?
What is the best approach to work around this if the feature cant be turned off? I dont want the user to have to verify the email in discourse.

I have found a few articles but the seem overly complicated.

Regards
shahid

blake · May 15, 2018, 4:38pm

There is a setting called “oauth2 email verified” that you can check. Here is the description for the setting:

Check this if the OAuth2 site has verified the email

shahidmir · May 15, 2018, 4:42pm

hi blake,

thanks for that. I did actually switch that on, but still get the message on the login page about email being unverified?

shahidmir · May 15, 2018, 4:48pm

blake · May 15, 2018, 4:52pm

What do you have set in the “oauth2 json email path” box?

Maybe that isn’t set correctly

Stephen · May 15, 2018, 4:57pm

Does that assume the upstream Oauth2 IdP has verified email addresses?

shahidmir · May 15, 2018, 4:57pm

shahidmir · May 15, 2018, 4:58pm

yes thats the case i believe.

blake · May 15, 2018, 5:02pm

Okay can you look in your logs and see if you see anything? Also could you look at one of the new users and see if they actually have an email address?

shahidmir · May 15, 2018, 5:03pm

is the user record in discourse only created after the verification? if i go in as admin, should i see the record?

blake · May 15, 2018, 5:05pm

They should be in there before verification. You may need to click on the new tab and/or sort by created date /admin/users/list/new?order=created

shahidmir · May 15, 2018, 5:07pm

interesting… as the users are not there

blake · May 15, 2018, 5:09pm

hmm okay. See what you can find in /logs. I’m not really sure what is going on. I’ll have to login into my auth0 account and see if I can get it working again and see if I run into a similar issue.

shahidmir · May 15, 2018, 5:10pm

thanks, will check the logs and update.

shahidmir · May 15, 2018, 5:56pm

Hi
taking a look at the logs below, does it seem as if the json call to the authentication provider for user info is not returning anything?

(oauth2_basic) Callback phase initiated.

Processing by Users::OmniauthCallbacksController#complete as HTML

Parameters: {"code"=&gt;"P-xxxxxxxxx-4", "state"=&gt;"b65xxxxxxxxxaa

5769cxxxxxxx9", "provider"=&gt;"oauth2_basic"}

OAuth2 Debugging: after_authenticate response:

creds: {"token"=&gt;"wPxxxxxxxxxxxxwq7", "expires_at"=&gt;1526490618, ""

expires"=&gt;true}

info: {"id"=&gt;nil, "name"=&gt;nil}

extra: {}

OAuth2 Debugging: user_json_url: GET https://xxxxxxxxx/userinfo

OAuth2 Debugging: user_json: {}

Rendering users/omniauth_callbacks/complete.html.erb within layouts/no_ember

Rendered users/omniauth_callbacks/complete.html.erb within layouts/no_ember (00

.5ms)

Rendered layouts/_head.html.erb (0.2ms)

Rendered common/_special_font_face.html.erb (0.2ms)

Rendered common/_discourse_stylesheet.html.erb (0.1ms)

Rendered application/_header.html.erb (0.1ms)

Completed 200 OK in 201ms (Views: 2.3ms | ActiveRecord: 11.1ms)

Started GET "/discussion/srv/status" for 127.0.0.1 at 2018-05-15 17:10:23 +0000

blake · May 15, 2018, 5:59pm

Yes, it doesn’t look like it is returning anything since user_json is empty

blake · May 16, 2018, 1:23am

Okay I figured out a couple of the issues and one of them may require a code fix. I’ll post my findings tomorrow.

shahidmir · May 16, 2018, 8:12am

hi blake,

so that i dont misunderstand, are you saying this will not work until a fix is made on your side?

regards
shahid

shahidmir · May 16, 2018, 8:56am

strangely, when the auth0 lock widget pops up through oauth2 login, when i enter the username/password a fresh, i get valid json back. But if i click on the username that it already remembers (so not re-entering username/password) it gives me blank json.

shahidmir · May 16, 2018, 10:43am

hi blake, i have this working now, just need to figure out the silent auth bit (when auth lock widget comes up remembering previously used login), which i think is calling the authentication provider without the necessary scopes for the end point…

I have another issue though. The userId that is coming back from the userInfo json endpoint is a url namespace e.g. https://domain.user.id.
In the oauth2 plugin config i am specifying this domain as the userId field, but i think instead of taking that field from the json it seems to be trying to find “.id” at the “https://domain” --> “user” --> “id” node.

How do i get around this issue?

regards

Topic		Replies	Views
Disable email verification for SSO Support	12	3718	September 17, 2021
Silent login/signup via Auth0 SSO	8	4703	May 29, 2018
Configure sign up and log in with Auth0 using the OAuth2 Basic Plugin Integrations sso , oauth2 , auth-plugins , how-to	71	18266	August 15, 2024
SSO vs Oauth2 difference? SSO	18	9828	November 14, 2019
Sorry, there was an error authorizing your account SSO oauth2	21	6812	February 10, 2020

Oauth2 plugin sso, how to switch off email verification

Related topics