Official Single-Sign-On for Discourse (sso)

sso

(George Kushnir) #367

This might seem silly.

I have discourse running in an iFrame, and I have SSO working.

However, what I am doing is redirecting to a page that reloads the parent page to the SSO one. My issue with this is that it’s not silent, and looks pretty bad.

is there a way to generate the SSO URL/data other than using the SSO url setting? Preferably an existing POST/GET request?


(Sigurður Guðbrandsson) #368

@n4ru I have the same problem … this causes massive GET requests to our forum.

One possible solution would be to allow a GET parameter redirect=0 to the SSO URL. That way, we could let the Discourse SSO know that this is a hidden iframe autologin

@sam do you think this is possible?
Has this perhaps already been implemented?


(Sigurður Guðbrandsson) #369

Hmm … looking at the source code, I see that there is return_path query parameter and a setting for allowing any URL in the return path.

@sam is there documentation on how to implement return_path properly?


(Colin Gauvin) #371

I’m having some issues getting this working with WordPress. Not finding much in the way of help when searching.

The problem I’m having is that I have a WordPress site that I want to setup to act as the login. I have the Discourse set to private. So if someone navigates to the forum.mywebsite.com it should redirect to the login page on wordpress (/wp-login.php) which it does. The issue is that when I log in, instead of then redirecting back to the Discourse site, or even loading the WordPress site, it simply refreshes /wp-login.php as if the user isn’t logged in, but it displays no error message. If I then navigate to forum.mywebsite.com manually (the Discourse site) then it loads back to mywebsite.com -&nbspThis website is for sale! -&nbspmywebsite Resources and Information. and the user isn’t logged in. So for some reason, it’s not working. The plugin is configured correctly, but I am getting the error that the site isn’t connected, even though the URL and the API and secrete code are all correct.

I assume is has something to do with the site not being connected, but I’m not sure why it says it’s not connected when all the information is filled out correctly. Any ideas?

Running the latest version of Discourse, Wordpress, and the plugin.

EDIT: It’s returning a 404 error in the WordPress plugin even though the site is working fine if I navigate via a web browser. Running curl -Is http://forum.healthyfathershealthykids.com | head -1 returns a 301 Redirect, which is odd because no DNS entry exists. Perhaps it’s because I’m running a proxy in Apache to forward to the Discourse/Nginx? Either way, the site works fine in a browser which is strange. Clearly neither the plugin or cURL can connect with the forum site though.


(Blake Erickson) #372

I created a very simple but working example SSO Endpoint that anyone can use for testing or learning how SSO works:


(Erlend Sogge Heggen) #374

A post was split to a new topic: OAuth2 Authorization and Resource Server


(Mirko) #375

Has support for POST in addition/instead of GET ever been added to SSO? Or would there be some way for us to make the required code change in the code of our own Discourse instance?


(Sam Saffron) #376

Why would POST be required? We use nonces replay attacks do not work.


(Mirko) #377

We’re trying to use an Oauth provider who apparently expects the call to be POST. Here’s the response we’re getting:

Blockquote
HTTP Status 405 - Method Not Allowed
description The specified HTTP method is not allowed for the requested resource.

Maybe we’re not doing this the right way; I simply checked ‘enable sso’ and entered the other site’s Oauth token URL in ‘sso url’ (The URL is https://www.z2systems.com/np/oauth/token)


(Michael Brown) #378

This tripped me up as it exists due to a third party but is oooold: https://rubygems.org/gems/discourse_sso


(Jason Sachs) #379

Does this impact the new user signup process? Our company has a bunch of meaningless user IDs in LDAP (e.g. C12345) so it would be advantageous to still allow people to choose their Discouse username to be an arbitrary human readable value, as long as email address is the thing that is used to key into SSO.


(Dany) #380

I manage to integrate the SSO into my website but i have 2 problems :

It seems to work for most of the users but the main admin.

I got this error :

Completed 500 Internal Server Error in 2ms (ActiveRecord: 0.0ms)
RuntimeError (Bad signature for payload

sso: bm9uY2U9MjE5N2Q1ZDU2YjBmY2VhYTQ2ZjdlY2QwZjdiNmEyMjkmZW1haWw9ZGFuaWVsc2F3YW5AZ21haWwuY29tJnJlcXVpcmVfYWN0aXZhdGlvbj1mYWxzZSZleHRlcm5hbF9pZD0xJnVzZXJuYW1lPUpvaG4mbmFtZT1TQVdBTiZhdmF0YXJfdXJsPWh0dHA6Ly85Mi4xNTQuMjIuMTQ1OjgwODAvcHJvZmlsZS9pbWcvMQ==

sig: 45ada6163e1e327c5fa2c6b491c81e30eaa178c580d240e195aa0d9123bef869

expected sig: 3e153ae6c8313b3c94e19963cdd4db6ef86f041017b6a058c6f023df03c72a20)
/var/www/discourse/lib/single_sign_on.rb:31:in `parse'

I ask for overwirte profile img and submit a new url when processing the sso login but it don’t take it. The image still the standard discourse one.

Thanks for your help !

Update 1) : Seems like when the user already exist in the forum (imported from mybb) the sso don’t work. I get

expected sig: 3f301ee699fa9842c1a21d705ca8af6c461b22bdf77edf7f212ab4c8c8783bb7)
/var/www/discourse/lib/single_sign_on.rb:31:in `parse'

When it is a new user and discourse register it then there is no problem.

Update 1) I found the bug. It seems like unlike the docs say we don’t have to url encode the base64 encoded payload. Instead url encode each filed appart before base64 encode. Seems like the sso login system works now.

Update 2) Even if sso login work for all users as mentionned above. I still not manage to overrivde local avatar with sso avatar

Update 3) seems like other pplz have the same problem : Avatar not showing up though avatar_url is correct


(Ned Twigg) #381

@sam everyone in this thread is getting a different value for the response signature. There is a right answer, it would be great to get confirmation. I’m getting 3a8dd1a73254003d616d610f66049cf741dfcb924c76b9e75efa01b2507ad0d0, and I’m otherwise character-for-character identical to the example.

I built your example into a testcase here, the implementation is here, and I can prove that the testcase is running because Travis says so :slight_smile:

EDIT: FWIW, the implementation is working, which gives me confidence that the true checksum is the 3a8dd1... listed above.


#382

Has anyone used Amazon Cognito as a sso provider for Discourse?

I followed the instructions for setting up user pools, app clients and domain, then entered the sso url and secret into the admin panel in Discourse, but i’m getting a blank screen when I enable sso on discourse on login attempt.


(Michael Howell) #383

Discourse’s built-in SSO isn’t compatible with Cognito. Actually, it’s specific to Discourse.

You’re either going to need a plugin for your forum, or a service that translates between it and Cognito.


(Adrianbblk) #384

Is there a way to use the sso for multiple Discourse ? For example if I want to have a main globan discourse on my “examples.com” domain and others few locals like fr.exemples.com and so. How to make for these a sso ? Practicly the same account for all my discourse installations ?


(Sam Saffron) #385

Yeah very straight forward, you would share the same sso provider


(Rafael Oliveira) #386

This is probably something really easy to figure out, but after everything is set up, attempting to login shows the user an Account login timed out, please try logging in again. error.

I’d assume this is due to me taking too long to authenticate, but I’m taking less than 15 seconds - including all re-directs and user inputs.

Possible issues and respective solutions?


(Rafael dos Santos Silva) #387

Is the clock correct in both machines (Discourse one and the SSO source) ?


(Rafael Oliveira) #388

I believe so, yes. How would that affect the problem?