设置 DiscourseConnect - Discourse (sso) 官方单点登录

文档 集成
, , ,
1

DiscourseConnect is a core Discourse feature that allows you to configure “Single Sign-On (SSO)” to completely outsource all user registration and login from Discourse to another site. Offered to our pro, business and enterprise hosting customers.

:information_source: (Feb 2021) ‘Discourse SSO’ is now ‘DiscourseConnect’. If you are running an old version of Discourse, the settings below will be named sso_... rather than discourse_connect_...

The Problem

Many sites wishing to integrate with a Discourse site want to keep all user registration in a separate site. In such a setup all login operations should be outsourced to that different site.

What if I would like SSO in conjunction with existing auth?

The intention around DiscourseConnect is to replace Discourse authentication, if you would like to add a new provider see existing plugins such as: Discourse VK Authentication (vkontakte)

Enabling DiscourseConnect

To enable DiscourseConnect you have 3 settings you need to fill out:

Screenshot 2021-02-11 at 12.40.34
Screenshot 2021-02-11 at 12.40.341632×474 119 KB

enable_discourse_connect : must be enabled, global switch
discourse_connect_url: the offsite URL users will be sent to when attempting to log on
discourse_connect_secret: a secret string used to hash SSO payloads. Ensures payloads are authentic.

Once enable_discourse_connect is set to true:

  • Clicking on login or avatar will, redirect you to /session/sso which in turn will redirect users to discourse_connect_url with a signed payload.
  • Users will not be allowed to “change password”. That field is removed from the user profile.
  • Users will no longer be able to use Discourse auth (username/password, google, etc)

What if you check it by mistake?

See: Log back in as admin after locking yourself out with read-only mode or an invalid SSO configuration

Implementing DiscourseConnect on your site

:warning: Discourse uses emails to map external users to Discourse users, and assumes that external emails are secure. IF YOU DO NOT VALIDATE EMAIL ADDRESSES BEFORE SENDING THEM TO DISCOURSE, YOUR SITE WILL BE EXTREMELY VULNERABLE!

Alternatively, if you insist on sending unvalidated emails BE SURE to set require_activation=true, this will force all emails to be validated by Discourse. WE STILL STRONGLY ADVISE THAT YOU DO NOT DO THIS, so if you proceed with that setting enabled, you are assuming substantial risk.

Discourse will redirect clients to discourse_connect_url with a signed payload: (say discourse_connect_url is https://somesite.com/sso)

You will receive incoming traffic with the following

https://somesite.com/sso?sso=PAYLOAD&sig=SIG

The payload is a Base64 encoded string comprising of a nonce, and a return_sso_url. The payload is always a valid querystring.

For example, if the nonce is ABCD. raw_payload will be:

nonce=ABCD&return_sso_url=https%3A%2F%2Fdiscourse_site%2Fsession%2Fsso_login, this raw payload is base 64 encoded.

The endpoint being called must

  1. Validate the signature: ensure that HMAC-SHA256 of PAYLOAD (using discourse_connect_secret, as the key) is equal to the sig (sig will be hex encoded).
  2. Perform whatever authentication it has to
  3. Create a new url-encoded payload with at least nonce, email, and external_id. You can also provide some additional data, here’s a list of all keys that Discourse will understand:
    • nonce should be copied from the input payload
    • email must be a verified email address. If the email address has not been verified, set require_activation to “true”.
    • external_id is any string unique to the user that will never change, even if their email, name, etc change. The suggested value is your database’s ‘id’ row number.
    • username will become the username on Discourse if the user is new or SiteSetting.auth_overrides_username is set.
    • name will become the full name on Discourse if the user is new or SiteSetting.auth_overrides_name is set.
    • avatar_url will be downloaded and set as the user’s avatar if the user is new or SiteSetting.discourse_connect_overrides_avatar is set.
    • avatar_force_update is a boolean field. If set to true, it will force Discourse to update the user’s avatar, whether avatar_url has changed or not.
    • bio will become the contents of the user’s bio if the user is new, their bio is empty or SiteSetting.discourse_connect_overrides_bio is set.
    • Additional boolean (“true” or “false”) fields are: admin, moderator, suppress_welcome_message
  4. Base64 encode payload
  5. Calculate a HMAC-SHA256 hash of the payload using discourse_connect_secret as the key and Base64 encoded payload as text
  6. Redirect back to the return_sso_url with an sso and sig query parameter (http://discourse_site/session/sso_login?sso=payload&sig=sig)

Discourse will validate that the nonce is valid, and if valid, it will expire it right away so it can not be used again. Then, it will attempt to:

  1. Log the user on by looking up an already associated external_id in the SingleSignOnRecord model
  2. Log the user on by using the email provided (updating external_id) (unless require_activation = true)
  3. Create a new account for the user providing (email, username, name) updating external_id

Security concerns

The nonce (one time token) will expire automatically after 10 minutes. This means that as soon as the user is redirected to your site they have 10 minutes to log in / create a new account.

The protocol is safe against replay attacks as nonce may only be used once. The nonce is tied to the current browser session to protect against CSRF attacks.

Specifying group membership

If the discourse connect overrides groups option is specified, Discourse will consider the comma separated list of groups passed in groups.

Screenshot 2021-02-11 at 12.35.15
Screenshot 2021-02-11 at 12.35.151554×156 53.1 KB

Aside from groups, you may also specify group membership in your SSO payload using the add_groups and remove_groups attributes regardless of the discourse connect overrides groups option.

add_groups is a comma delimited list of group names we will ensure the user is a member of.
remove_groups is a comma delimited list of group names we will ensure the user is not a member of.

Reference implementation

Discourse contains a reference implementation of the SSO class:

A trivial implementation would be:

class DiscourseSsoController < ApplicationController
  def sso
    secret = "MY_SECRET_STRING"
    sso = DiscourseApi::SingleSignOn.parse(request.query_string, secret)
    sso.email = "user@email.com"
    sso.name = "Bill Hicks"
    sso.username = "bill@hicks.com"
    sso.external_id = "123" # unique id for each user of your application
    sso.sso_secret = secret

    redirect_to sso.to_url("http://l.discourse/session/sso_login")
  end
end

Transitioning to and from single sign on.

As long as the require_activation parameter is not set to true in the request payload, the system will trusts emails provided by the single sign on endpoint. This means that if you had an existing account in the past on Discourse with DiscourseConnect disabled, DiscourseConnect will simply re-use it and avoid creating a new account.

If you ever turn off DiscourseConnect, users will be able to reset passwords and gain access back to their accounts.

Real world example:

Given the following settings:

Discourse domain: http://discuss.example.com
DiscourseConnect url : http://www.example.com/discourse/sso
DiscourseConnect secret: d836444a9e4084d5b224a60c208dce14
Email validated: No (add require_activation=true to the payload)

User attempt to login

  • Nonce is generated: cb68251eefb5211e58c00ff1395f0c0b

  • Raw payload is generated: nonce=cb68251eefb5211e58c00ff1395f0c0b

  • Payload is Base64 encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=

  • Payload is URL encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D

  • HMAC-SHA256 is generated on the Base64 encoded Payload: 1ce1494f94484b6f6a092be9b15ccc1cdafb1f8460a3838fbb0e0883c4390471

Finally browser is redirected to:

http://www.example.com/discourse/sso?sso=bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D&sig=1ce1494f94484b6f6a092be9b15ccc1cdafb1f8460a3838fbb0e0883c4390471

On the other end

  1. Payload is validated using HMAC-SHA256, if the sig mismatches, process aborts.
  2. By reversing the steps above nonce is extracted.

User logs in:

name: sam
external_id: hello123
email: test@test.com
username: samsam
require_activation: true

Unsigned payload is generated:

nonce=cb68251eefb5211e58c00ff1395f0c0b&name=sam&username=samsam&email=test%40test.com&external_id=hello123&require_activation=true

order does not matter, values are URL encoded

Payload is Base64 encoded

bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGImbmFtZT1zYW0mdXNlcm5hbWU9c2Ftc2FtJmVtYWlsPXRlc3QlNDB0ZXN0LmNvbSZleHRlcm5hbF9pZD1oZWxsbzEyMyZyZXF1aXJlX2FjdGl2YXRpb249dHJ1ZQ==

Payload is URL encoded

bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGImbmFtZT1zYW0mdXNlcm5hbWU9c2Ftc2FtJmVtYWlsPXRlc3QlNDB0ZXN0LmNvbSZleHRlcm5hbF9pZD1oZWxsbzEyMyZyZXF1aXJlX2FjdGl2YXRpb249dHJ1ZQ%3D%3D

Base64 encoded Payload is signed

3d7e5ac755a87ae3ccf90272644ed2207984db03cf020377c8b92ff51be3abc3

Browser redirects to:

http://discuss.example.com/session/sso_login?sso=bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGImbmFtZT1zYW0mdXNlcm5hbWU9c2Ftc2FtJmVtYWlsPXRlc3QlNDB0ZXN0LmNvbSZleHRlcm5hbF9pZD1oZWxsbzEyMyZyZXF1aXJlX2FjdGl2YXRpb249dHJ1ZQ%3D%3D&sig=3d7e5ac755a87ae3ccf90272644ed2207984db03cf020377c8b92ff51be3abc3

Synchronizing DiscourseConnect records

You can use the POST admin endpoint /admin/users/sync_sso to synchronize a DiscourseConnect record, pass it the same record you would pass to the DiscourseConnect endpoint, nonce does not matter.

If you call admin/users/sync_sso from another site, you will need to include a valid admin api_key and a valid api_username in the request’s headers. See Sync DiscourseConnect user data with the sync_sso route for more details about how to structure the request.

Clearing DiscourseConnect records

If your external_id values from your DiscourseConnect provider have changed (perhaps you changed the generation algorithm, perhaps it’s a different endpoint) you can safely remove all the existing records using the rails console:

SingleSignOnRecord.destroy_all

Logging off users

You can use the POST admin endpoint /admin/users/{USER_ID}/log_out to log out any user in the system if needed.

To configure the endpoint Discourse redirects to on logout search for the logout redirect setting. If no URL has been set here you will be redirected back to the URL configured in discourse connect url.

Search users by external_id

User profile data can be accessed using the /users/by-external/{EXTERNAL_ID}.json endpoint. This will return a JSON payload that contains the user information, including the user_id which can be used with the log_out endpoint.

Existing implementations

  • The discourse_api gem can be used for SSO. Have a look at the SSO code in its examples directory to see a basic implementation.

  • Our WordPress plugin makes it easy to configure SSO between WordPress and Discourse. Details about setting it up are found on the SSO tab of the plugin’s options page.

Future work

  • We would like to gather more reference implementations for SSO on other platforms. If you have one please post to the Dev / SSO category.

Advanced Features

  • You can pass through custom user fields by prefixing the field name with custom. For example custom.user_field_1 can be used to set the value of the UserCustomField that has the name user_field_1.
  • You can pass avatar_url to override user avatar (SiteSetting.discourse_connect_overrides_avatar needs to be enabled). Avatars are cached so pass avatar_force_update=true to force them to update if the url is the same. Right now, you can’t pass an empty url to disable users’ avatar.
  • By default the welcome message will be sent to all new users created through SSO. If you wish to suppress this you can pass suppress_welcome_message=true
  • To configure your Discourse instance as a Discourse connect provider see: Using DiscourseConnect as an identity provider.

Debugging your DiscourseConnect provider

To assist in debugging DiscourseConnect you may enable the site setting verbose_discourse_connect_logging. By enabling that site setting rich diagnostics will show up in YOURSITE.com/logs. Be sure to :white_check_mark: the warnings box at the bottom of YOURSITE.com/logs.

We will log a warning to the logs with a full dump of the SSO payload:

173 个赞
Discourse SSO + normal login
Sync DiscourseConnect user data with the sync_sso route
SSO login & logout issues
Is there a "log_in" SSO API endpoint?
SSO locked me out of Discourse!
What is the SSO login URL
With SSO my user still need to hit the login button
SSO Login page not showing up
How to handle Discourse SSO when the authentication site allows users to change emails?
"User Log out API" return success in response but user session still alive
SSO integration & external profile sync help
Single Sign-Out?
Mobile (firebase) SSO authentication
Login to Discourse with website account details
SSO on Discourse using Atlassian Crowd
Discourse SSO using auth0 via URL
About the SSO category
SSO and e-mail addresses having a plus sign
Customized login auth plugin
Users who register on my site, register also on Discourse Vise Versa
How to generate nonce from client-side Javascript
Automatically assigning users to a group
Logout POST Request
User Fields to validate users
Automatic session management with OAuth SSO
Shibboleth / SAML / SSO -- Working Implementation for Higher Ed
Custom Login / Registration from another API
Merging users from different forums
Advantage and disadvantage of enabling SSO
Will Discourse ask for a username if it's not provided to /session/sso_login?
A way for admins to edit users' external IDs
Hashing Secret + Payload for SSO
[PAID] Setup SSO for self-hosted instance
Disable email verification for SSO
Auto-sign-in with the OpenId Connect Plugin and AWS Cognito
SSO with TownNews CMS
SSO locked me out of Discourse!
Switching out authentication for a passwordless alternative
Categorizing and tracking users
Using existing RoR application for user auth / signup instead of discourse
Enable sso for my site
Wordpress plugin not redirect to discourse login automatically
Discourse Ruby API testing "Unknown attribute 'auth_token' for User
A community of a no-code tool: SSO vs login via email
Segment Tracking Theme Component
Data explorer query to list the longest "estimated read time" topics?
Can usernames be numbers instead of Letters?
Create user in discourse by redirecting from another site
HMAC-256 example on Official SSO page
Discourse OAuth2 Basic
Jobs::DownloadAvatarFromUrl times out
Add links to meta.discourse.org instructions inside admin
How to configure the SSO Authorization URL via config (without using the admin panel)
Embed Discourse comments on another website via Javascript
TeamAndro exploring a migration from phpBB
DiscourseConnect payload hash encoding mismatch
Dev Category sidebar
Disabling SSO in development environment
Getting signed data from the server
User following invitation link is not visible in Admin/Users due to SSO
Getting signed data from the server
Getting signed data from the server
SSO and changing email addresses upstream
SSO (maybe) specific issue
SSO (maybe) specific issue
Why isn't Discourse more frequently recommended as a "community platform"?
Integration with .NET MVC application for a SaaS platform
Running my own discourse image
Unable to Login to Discourse, using wpdiscourse plugin
How do I make discourse use my platform's autentication system?
Automatic addition of users to group based on email domain
Allowing people to login using accounts from other websites
Seeking Slack Login / SSO for Discourse
Smooth J/K navigation when using keyboard
SSO to Joomla site
Discourse Connect on Local instance is not working
Discourse Connect on Local instance is not working
Implementing SSO for dev environment and troubleshoot
Login with FB, google and apple only
SSO provider implementation - Admin, moderator and groups ignored?
Nextcloud support
How to divide my community into 2 parts
Using Discourse to add a forum feature to our current application?
Shared cookie SSO: Notifying frontend
User auth with website at root and Discourse in subfolder
Can I authenticate to Drupal via Discourse?
Using Discourse as an authentication provider
Error 419 when Attempting DiscourseConnect, JavaScript
Difficulty of Tiered-access forum
Any way to not require email verification with WP as the SSO Provider?
How to auto-login user in application web view
How can I configure Single Sign On for our App to the Discourse Community Forum
[PAID] automatically change user email
Create apikey for user programmatically as admin
Discourse logins into Drupal 8/9
Discourse logins into Drupal 8/9
Bug when visiting same thread url
Open source will support customized provider SSO
Is there a way to get all emails of users with the API?
How can generate _forum_session and _t for an user through code/api call or without login to browser?
Show/hide forums based on the domain? (Shared forum via CNAME)
Integrate with DjangoRest and Vue.js
Auto-assign random, anonymous usernames
Connect Discourse Auth with my Django user DB?
Disable account confirm emails when creating users via API
Transforming usernames with SSO
WP as DiscourseConnect client: Signature parse error/Bad signature error (solved)
Automatically provision accounts with external SSO provider? (skip Create New Account prompt)
Error ArgumentError in DiscourseSsoController#sso, wrong number of arguments (given 1, expected 0)
Error ArgumentError in DiscourseSsoController#sso, wrong number of arguments (given 1, expected 0)
Embed variables in footer
Need help to setup SSO without emails
Programmatically log users out of discourse
Is it possible?
How do I remove people from putting names? I have an API system I want in there
How to detect Discourse user on Ghost Blog?
Problem in sso redirection for compose a new pre-filled topic via URL
How to make default avatars and make sure nobody changes there avatar I want to set them an avatar with my API system
How might we better structure #howto?
Making group joins automatic to an external pricing plan
Is Roblox Login Possible?
Session Timeout SSO after rebuild from Backup
Silverstripe CMS SSO Module
Discourse login with whmcs users
2.7.0.beta4: DiscourseConnect, Topic Timer UI revamp, Login Modal UI revamp, and more
Connecting Discourse invites to Marketo emails
Add support for multi-select fields in DiscourseConnect protocol
Sync WooCommerce Memberships with Discourse groups
Auto assign member to the certain group
Connecting to an external source of avatars?
Changing avatar_url while sso_overrides_avatar is set?
User avatar selection through API no longer working
Sync WooCommerce Memberships with Discourse groups
Disabling email verification
SSO Isnt working for me
Could Discourse offer a StackExchange-like SSO/Federated login service?
Mandatory username & avatar generation - How can we do this?
Intergrading discoures in to a application
Configure single sign-on (SSO) with WP Discourse and DiscourseConnect
How to connect to an external database running on localhost
Automate User Creation
Login Help - Correct way to login
Install Discourse on an isolated CentOS 7 server
What happens to my current users after configuring SSO?
SSO groups without completely overriding
JumpCloud LDAP/SSO
Lexicon: a customizable native mobile app for your Discourse site
DiscoTOC - automatic table of contents
Usernames getting modified – numeral “1” being added
Is "partial" SSO possible?
Send an invite to a user but complete their profile programmatically
Magento 2 as SSO Provider?
Discourse SSO Provider doesn't redirect to return_sso_url as user logs in with custom SSO
Force password change after login
SSO and e-mail addresses having a plus sign
Would Discourse meet all of these niche needs to be a video game community forum?
OpenID Connect and SSO
Does `sso overrides groups` work with Oauth2?
How to prevent another log in with Auth0 and OAuth2 Basic Plugin
Add user to group after purchase
Error Log Missing
Discourseconnect logout issues
Shibboleth SSO with Discourse
Other custom code on WP installation is preventing WP Discourse from redirecting back to forum
Using discourse forum in a native app (log-in, languages)
Use Discourse as an identity provider (SSO, DiscourseConnect)
Possible to send an email login link via API?
Possible to send an email login link via API?
Self serve SSO email synchronisation
Discourse Connect: How implementing Discourse login with an existing database?
Sync group membership with external list of email addresses
Distrust: Discourse as an OpenID Connect provider
Admin sso and group permissions
Can I use my own Login page instead of discourse's Default login dialog box?
Using node.js (discourse-sdk) API when SSO is enabled?
Using Discourse as SSO Provider for Wiki.js
SSO is forcibly creating the user as an admin
Modify the URL of 'create your account' button to an external site
DiscourseConnect Won't Let Me Log Back In
DiscourseConnect Won't Let Me Log Back In
DiscourseConnect Won't Let Me Log Back In
DiscourseConnect Won't Let Me Log Back In
Watched words links corrupt @mentions and #categories
Recursive Impersonation
User flair remains after user is removed from group
Recursive Impersonation
How to add a custom url text link on the login page
Can discourse delete archived posts automatically and accept registration without email?
Unable to Test Discourse Connect on localhost
Drupal 8 and Discourse shared SSO
SSO is forcibly creating the user as an admin
Onboarding 15k Trial Users/Year: Need Help Streamlining the Process
Filling in discourse_username when not using DiscourseConnect
Is DiscourseConnect available for self-hosted?
Is DiscourseConnect available for self-hosted?
Discourse login by cookie token
Could you update user avatar for wordpress plugin sso?
Secondary Emails with SSO
How to Disable Required SSO Email Activation
Redirect to Register link after invite while using SSO
Custom field in discourseconnect
Make email optional
User avatar selection through API no longer working
Wordpress plugin not redirect to discourse login automatically
Discourse login by cookie token
How to configure Discourse as the sole user-facing login/sign-up provider for Wordpress site
Custom field in discourseconnect
DiscourseSsoConsumer, a SSO extension for MediaWiki
System assigned profile picture not synced to Discourse Connect client sites
Discourse connect sync_sso avatar update issue
Discourse as OpenID Connect provider
Unable to create user in Discourse from WP with new registration form
Logging users in through c++ desktop application
Discourse as OpenID Connect provider
Is there any endpoint that would provide a user's external account IDs from their Discourse ID?
"Fake" OAuth Provider?
German People here
Invite only by email from database
Is it possible to autologin discourse via iframe?
New Wordpress users connecting to existing Discourse users
Login w/ Discourse w/o SSO?
Login w/ Discourse w/o SSO?
Login w/ Discourse w/o SSO?
Login w/ Discourse w/o SSO?
Generic “userN” usernames
Generic “userN” usernames
Change login link param (return_path)
Require accepting new terms (after changes) as a modal inside forum
Guest Gate Theme Component
Unable to Login to Discourse, using wpdiscourse plugin
How to switch from Discourse Connect SSO to local logins
Lack of Discourseconnect client tab in multisite for wordpress
Wordpress plugin not redirect to discourse login automatically
Wordpress plugin not redirect to discourse login automatically
Discourse Hosting Limits?
Guest Gate Theme Component
DiscourseConnect always returns "Nonce is incorrect, ..."
Auto Login enabled for public facing community?
Has anyone succeeded in using discourse as sso provider for nextcloud? Share recipe?
SSO in C# .NET App
Discourse SSO failed to login the user while redirection
Change email and username charset to unicode
Intergrate Discourse with keycloak
Auto Login enabled for public facing community?
Intergrate Discourse with keycloak
Intergrate Discourse with keycloak
Intergrate Discourse with keycloak
Intergrate Discourse with keycloak
Work with discourse users on an SPA
Work with discourse users on an SPA
WP-Discourse → User Switching Not Working
WP-Discourse → User Switching Not Working
Is there a way to use both local login and discourseConnect?
Allow my application users to login to discourse
Hide log out menu when using SSO
Discourse Integration Nextcloud bad csrf
Feature: create default user name from email's user portion when using Google OAuth2/SSO
Account login timed out when using SSO if auth_immediately = false
SSO login appears to have stopped working
Is there a way to use both local login and discourseConnect?
DiscourseConnect and user time zone / location
SSO Login issue
Configure an S3 compatible object storage provider for uploads
SSO Redirect Issues
Use Discourse as an identity provider (SSO, DiscourseConnect)
"Fake" OAuth Provider?
Sync WooCommerce Memberships with Discourse groups
SSO Redirect Issues
SSO Redirect Issues
Discourse Hosting Limits?
DiscourseConnect and user time zone / location
Embedding topics with login required and DiscourseConnect
WPDiscourse - Logout not working
Using Discourse as SSO provider but facilitating users continuing task on Wordpress?
Guest Gate Theme Component
"You need to sign in or sign up before continuing"
Any fallback available for failed SSO?
Changing email addresses not working as an Admin
Unable to anonymize user via API with SSO enabled
API bug : final "." in username causes error
Guest Gate Theme Component
Guest Gate Theme Component
Discourse Membership Synced with Member Status in other system (WHMCS)
Single sign-on sticks despite deleting the Discourse plugin
Populating email field on login page
Problem on SSO Login
API Create user external_ids parameter
Users unable to login with Discourse Connect
SSO Callback closes connection (0 bytes sent by server); used logged out of impersonation previously
Auto approve email domains still requires staff approval
SSO Failing to Override Avatar
Manually copying over comments from Wordpress, how do I can create user accounts?
SSO Broken - The requested URL or resource could not be found
Auto approve email domains still requires staff approval
Intergrate Discourse with keycloak
Can I use the Discourse API to authenticate users in another app?
Adding Discourse to existing Ruby on Rails site
Only let staff unlink social accounts?
Use WP Discourse to publish posts from Wordpress to Discourse
Discourse Connect does not auto login anymore
Adding SSO after many users already signed up -- how to migrate them?
Update user details
Is it possible?
Is it possible?
Is it possible?
Is it possible?
Is it possible?
Is it possible?
Unable to create user in Discourse from WP with new registration form
Login error while trying to use Discourse as an identity provider (SSO, DiscourseConnect)
How to add custom query parameter in discourse connect url?
Can I use DiscourseConnect along with Discourse Native Registration?
How can we disable 2FA for an user while we are using google auth2 login in Discourse?
Bratwurst: the wurst possible production DiscourseConnect provider
SSO Login with Discourse
Synchronize SSO login state between Discourse and provider
Connection and discourse account creation without going on discourse
Migrate an IPB 3.1 forum to Discourse
How to know if user has SSO
Email-less and password-less registration & authentication
Disable DiscourseConnect
Generating a login email via API
Any other way to authenticate user without redirecting to session/sso
SSO failover scenarios
How to use Discourse Connect (SSO) to update avatar, username, name?
How to use Discourse Connect (SSO) to update avatar, username, name?
How to use Discourse Connect (SSO) to update avatar, username, name?
Label Sets
An entirely email-less Discourse instance
Issue with Api
Invites keep getting error "not_matching_email"
Any other way to authenticate user without redirecting to session/sso
Bad automatic choosing of username when using SSO (DiscourseConnect)
Use Discourse as an identity provider (SSO, DiscourseConnect)
Unable to setup discourse in my windows 10
Ghost & Discourse SSO implementation
Is there a possibility for Discourse to integrate with web3 wallets?
Guest Gate Theme Component
Discourse SSO Configuration
How admin user re-logins after using discourse connect sso and custom domain
How admin user re-logins after using discourse connect sso and custom domain
How to set Authorization token in request headers when user attempts to login on discourse
How can I check in my website if the user is logged in to my Discourse?
Go from a Wordpress + Discourse structure to a Discourse site only?
Generating and retrieving user API keys
Wordpress avatars from Discourse when Discourse is the SSO provider
Discouse Connect avatar_url with S3
How to "intercept" first time SSO usages to let users confirm the SSO action and set a username?
Discourse Connect receive Discourse Approval state
Multiple development instances
Multiple development instances
How to create a login on my front-end application to a specific Discourse site?
How to create a login on my front-end application to a specific Discourse site?
Use Discourse as an identity provider (SSO, DiscourseConnect)
First time login for a user using API KEY
DiscourseConnect and Clickfunnels
Connect discourse with magento?
Can we combine 2 separate discourse sites?
Multisite vs multiple containers
Discourse login from external site
Users allowed to see only some categories
Add links to Discourse that allow users to authenticate via SSO or access private groups directly if they are logged in already
Using external_id via API
How to set Authorization token in request headers when user attempts to login on discourse
Discourse Connect Flow
Add links to Discourse that allow users to authenticate via SSO or access private groups directly if they are logged in already
Add links to Discourse that allow users to authenticate via SSO or access private groups directly if they are logged in already
Discourse Connect Flow
Issue with Drupal Discourse SSO
I keep getting logged out after implementing Discourse SSO
Wp_discourse unable to remember login status
Splitting a site into two parts
DiscourseConnect Provider Questions
Login error
DiscourseConnect Provider Questions
Create User external_ids parameter
Error creating account in Wordpress with Discourse Connect
Use Discourse Connect with Wordpress and regular login
How to add users to multiple groups using discourse connect?
The Sign up button is not activated
Admin status repeatedly revoked
Use Discourse Connect with Wordpress and regular login
Add user to group via webhook with email
Login error
Notify admins if a user updates their primary email
Customising hostname sent in email links for app deeplinking
Plugin to integrate Shopify accounts with Discourse
How to do single sign-on with forum program?
Exploring ways to partition a forum
Exploring ways to partition a forum
GET DiscourseConnect Single Sign On record via APIs
Simple login by email via deep links containing a username
While using DiscourseConnect, is the CONFIRM Account needed?
While using DiscourseConnect, is the CONFIRM Account needed?
Discourse Connect/Squarespace (SSO)
Discourse Connect/Squarespace (SSO)
Wordpress username publishing help
Wordpress username publishing help
How to set language for SSO users
Log in button Redirects Issue
Log in button Redirects Issue
Want to set internal forum on our reactjs member's platform
New instructions for SSO setup? "enable discourse connect" setting is missing
New instructions for SSO setup? "enable discourse connect" setting is missing
Bulk invite to group
Wordpress Groups Sync with Discourse
Add a new user via API
Configure GitHub login for Discourse
Seeking Guidance: Dual Authentication Setup for Moderators and Students
Seeking Guidance: Dual Authentication Setup for Moderators and Students
Anyone has discovered/ build a site as multisite (SSO), would like to see the possibilities for inspiration!
Use SSO to auto create Discourse login/password after signed up in my SaaS
Undefined method `kilobytes' for "100":String error breaks topic and avatar sync
"Login error" page during the login attempt by existing user previously added through SSO
"Login error" page during the login attempt by existing user previously added through SSO
Gate our community to just members of our Shopify site?
How best to engage Discourse for a larger WordPress magazine?
How best to engage Discourse for a larger WordPress magazine?
How can I change the registration URL?
How do I go about making a very customized theme?
An idea for more economical comments?
Unable to disable SSO via SSH
Is it possible to have an automatically updating link to a user's profile picture? Such as by giving each user one "slot" for an avatar?
SSO broken after rebuild with stable v3.3.3
Using Discourse Connect with a mobile app
Disable DiscourseConnect
Missing anchor links in certain TOC topics?
Integration into custom auth system where emails are not unique?
How to disable SMTP during installation?
Create User external_ids parameter
Auto Login to my Discourse site / subdomain
How to Disable activation_reminder email sending?
Communities using discourse SSO for their in-app community experience
Extending header buttons
Auth via Discourse Forum
🧩 How to Build an Android App User Community with Discourse? [HeyApks Project]
Postgres doesn't seem to be running when running Discourse locally using Docker
Discourse sso login redirect to localhost:3000, not 4200 (running via docker)
Cross-Discourse Quoting
Is it Possible to Send Encrypted Email and Password in the Authentication Flow?
Nutzung von Nextcloud aus Discourse heraus
Understanding PII storage in Discourse
Log in button Redirects Issue
Login to Discourse with custom Oauth2 provider
Can I log into multiple instances of discourse simultaneously?
Upgraded last night and login button no longer works
SSO with Roles translating to Groups
Redirect login possible?
How to disable SSO via SSH
Connect Multiple WP Sites To 1 Discourse Installation?
What is the procedure to obtain CAS between my website and my discourse instance?
Problem logging in using SSO plugin
PAID: Create Open Source SSO plugin to auth with Wild Apricot
Trouble connecting drupal and discourse
About the idea: IDENTITY = EMAIL
About the idea: IDENTITY = EMAIL
How to create members-only site with Discourse, WordPress, and LearnDash
Consequences of not validating email addresses
SSO and Restricted Groups
Questions about Discourse on Digital Ocean
Require users to join at least one group at sign-up
Change right gutter to vertical timeline + topic controls
Use the same user database and login credentials in multiple discourse instances
How to connect my (existing) User Database?
Can usernames be numbers instead of Letters?
User group sync with drupal
Options with SSO with another custom application
Issues in Integrating SSO in Discourse
How to implement Discourse with an already built Rails project
Updating SSO documentation
Configuring SSO to Work With SocialEngine
Updating SSO documentation
Discourse view file update does not reflect in browser
Discourse view file update does not reflect in browser
Trying to set up SSO
Discourse doesn't re-verify an address changed by SSO
Discourse doesn't re-verify an address changed by SSO
User API keys specification
SSO and Discourse Consulting
Changing the unique key to identify users
Setting the user title(group?) based on the information that is coming from the sso payload
Mini (Inline) Onebox Support RFC
TL2 welcome message sent every time on SSO login
Error during SSO integration - Wholistic Minds
Advice needed for tailoring Discourse to my organisation
Rails error when using DiscourseConnect and Wordpress
Primary and Discourse Site Integrations
Automatic Table of Contents generation
Questions Regarding Account Authentication Methods
Can usernames be numbers instead of Letters?
Redirect all users who click on domain.com/signup to a different page
Poll Result Breakdown
Cant update email via API - invalid_access error
Disabling all emails except those registration related?
Allow admins to change email addresses easily
Can't get avatar overrides to work over SSO
Allow admins to change email addresses easily
Creating and configuring custom user fields
Conflicting email addresses, giving admins more power to resolve issues
Unable to create user in Discourse from WP with new registration form
Which Discourse hosting tier should I choose?
New users via API if allow new unchecked
How to change login settings without being logged in?
579

您好,我很难找到任何信息,但它使用的是什么协议?假设是oauth2?参数似乎不匹配,并且我收到提供商的错误,该提供商似乎接受 sso= 参数?救命!\n\n谢谢

580

DiscourseConnect 是 Discourse 的 SSO 实现。它不使用标准协议。

如果您不介意查看 PHP 代码,这里有一个示例实现:https://github.com/discourse/wp-discourse/blob/main/lib/sso-provider/discourse-sso.php。

是的,那行不通。如果您有想要用于验证用户的 OAuth2 提供商,请查看 Discourse OAuth2 Basic 插件。

1 个赞
581

感谢 @simon。PHP 代码也是一个提供者,而不是消费者吗?我还看到了一个 OIDC 提供者,它也可能起作用,还有一个插件区域中的“中间人”提供者。

如果 SSO 提供者是非标准的,那么它打算为谁/什么服务,如果它不能与其他提供者很好地协同工作的话?

再次感谢!

582

我链接的代码是用于将 WordPress 作为 Discourse 的身份验证提供者。

WordPress 插件还允许将 WordPress 用作 DiscourseConnect 客户端:https://github.com/discourse/wp-discourse/tree/main/lib/sso-client。

我不确定在 Discourse 中添加自定义 SSO 实现的动机是什么。我猜是有商业原因的。

它提供的一个好处是允许将外部站点与 Discourse 紧密集成。例如,此处列出的所有用户属性都可以在身份验证过程中与 Discourse 同步:discourse/lib/discourse_connect_base.rb at 7b89fdead98606d4f47ceb0a1d240d0f6e5f589e · discourse/discourse · GitHub

它还允许将未配置为 OAuth2 或 OpenID Connect 提供者的站点用于对 Discourse 上的用户进行身份验证。

缺点是它需要在身份验证提供者站点上添加一些自定义代码。

1 个赞
583

您好,我想了解一下在提供 SSO 的外部网站上不验证电子邮件地址会存在哪些问题。仅仅是这样会助长自动垃圾邮件吗?还是有其他需要考虑的因素?如果外部网站不进行电子邮件验证,为什么不建议 Discourse 来处理电子邮件验证?

感谢您提供的任何额外见解。

584

据我所知,最糟糕的情况需要满足以下条件:

  • 电子邮件地址未在外部网站上进行验证
  • SSO 负载中未设置 require_activation=true
  • Discourse 站点上已存在没有关联 SingleSignOnRecord 的帐户(帐户所有者从未通过 SSO 登录过 Discourse)

在这种情况下,有人可以在外部网站上使用从未通过 SSO 登录过的 Discourse 用户的电子邮件地址注册。这将允许来自外部网站的未经验证的帐户接管使用相同电子邮件地址的 Discourse 帐户。如果这是 Discourse 上的管理员帐户,那将尤其令人担忧。

如果外部网站未处理电子邮件验证,确实建议 Discourse 处理电子邮件验证:

不过,在外部网站上处理电子邮件验证有几个原因更好:

  • 强制用户接收来自 Discourse 的确认电子邮件会在用户首次尝试登录 Discourse 时增加一些摩擦。(但实际上,这种摩擦必须发生在某个地方——要么在 Discourse 端,要么在外部网站端。)
  • 如果 SSO 负载中的 require_activation 设置为 true,Discourse 将不会根据电子邮件地址将现有的 Discourse 帐户与外部登录匹配。如果您在 DiscourseConnect 启用后,某些帐户已通过用户名/密码注册创建,那么这将是一个问题。如果您出于任何原因需要删除 Discourse 上的 SingleSignOnRecord 条目,那也将是一个问题。当用户尝试重新登录 Discourse 时,Discourse 不会自动创建新的 SingleSignOnRecord 条目。
4 个赞
585

谢谢,@simon - 这非常有帮助!

586

您好,我有一个关于 SSO payload 中 groups 字段的问题。

自动用户组(例如管理员、版主和信任等级)也会被覆盖吗?还是会保留?

587

不会!假设该设置的描述是正确的,它只会影响手动用户组。

588

你知道吗……我在描述中没有看到“手动”这个词。听起来很有希望,符合我的用例,我会试试看,然后回来汇报。

1 个赞
589

当我读到这里时,我以为我应该直接从base64编码的载荷生成签名。我没有意识到你需要从UTF-8字节生成它。能否澄清一下?

590

我一直在使用 DiscourseConnect - 文档很棒,谢谢。
不过我遇到了一些障碍,希望得到一些帮助/澄清。

我们希望用户能够使用他们的 Discourse 登录来登录 Wordpress(这工作正常 :slight_smile: ) - 然而。

  • 是否可以通过 Discourse 注册来创建 Wordpress 用户(当用户创建 Discourse 用户帐户时,它会自动为他们创建 wordpress 帐户/配置文件,以便他们可以登录 wordpress)

  • 是否可以同步 Workpress 用户组和 Discourse 组。
    如果用户同时拥有 Wordpress 和 Discourse 用户帐户,DiscourseConnect 能够将它们关联起来 - 但它不会给 wordpress 帐户与其同名的 Discourse 组的用户组,反之亦然(如果组名称不同怎么办 - 我该如何告诉 DiscourseConnect 在用户拥有名为“Group for Testing Things”的 Discourse 组时,为他们分配名为“Testing Group”的用户组?)

我错过了什么?

591

我不知道答案,但是……

要小心。这在某种程度上是非法的,而且被广泛认为是不好的做法(当然,网站所有者除外 :smirking_face:),因为这会在用户不知情或未经同意的情况下发生,同时数据也会被转移到其他地方。

当然,这在某种程度上处于灰色地带,基本上,例如,谷歌就是这样做的。

但是……为什么?在WordPress端仅限于Discourse SSO登录,并将用户重定向到Discourse进行账户创建,仅此而已。但据我所知,你无法开箱即用地自动同步用户账户。而且你为什么要这样做,因为有了SSO,当用户需要时就会发生。

592

在我们的场景中(作为一个会员组织)

  • WordPress 用于管理订阅、在 WordPress 商店购买商品,我们使用用户组来管理会员在组织内的权限
  • Discourse 是我们的论坛/在线社区,我们使用群组来控制用户可以访问 Discourse 的哪些区域)

目前,新会员需要设置一个 WordPress 账户(并设置他们的订阅等),同时还需要设置一个 Discourse 账户,并且用户组-Discourse 群组是手动管理/同步的。

我正在寻找一个解决方案,让新用户只需设置一次即可创建两个账户,并且用户组-Discourse 群组能够自动同步——我相信我可以通过 API 等方式解决群组同步问题。我试图解决/避免的是多用户账户设置问题。

593

听起来您正在使用 Discourse 作为 WordPress 的 SSO 提供商。该方法在此处进行了概述:使用 Discourse 作为身份提供商 (SSO, DiscourseConnect)。Discourse WordPress 插件提供了将 WordPress 作为 Discourse 的 SSO 提供商,或将 Discourse 作为 WordPress 的身份提供商的选项。对这两种方法使用相同的名称会导致一些混淆。

在这种情况下,我倾向于使用 WordPress 作为身份提供商。通过这种方法,用户将在您的 WordPress 网站上创建账户,然后使用他们的 WordPress 凭据登录 Discourse。需要注意的一点是,这意味着用户只能通过 WordPress 登录 Discourse,而无法在没有 WordPress 账户的情况下创建 Discourse 账户。我认为这是将 Discourse 与 WordPress 会员网站集成时的合适设置。

当 WordPress 被用作 Discourse 的身份提供商时,有几个实用函数可用于根据用户在 WordPress 上的活动来设置用户的 Discourse 群组会员资格。这些函数在此处进行了概述:使用 WP Discourse SSO 管理 Discourse 中的群组会员资格

回到您最初的问题:

我有一段时间没有查看 WordPress 插件的 DiscourseConnect 客户端代码了,但我认为您所询问的功能或多或少是该代码的预期工作方式。如果用户拥有 Discourse 账户,他们只需点击 WordPress 上的“通过 Discourse 登录”链接,就会为他们创建一个账户。

在使用 WordPress 作为 DiscourseConnect 客户端时,这在技术上是可行的,但除非有什么变化,否则您将无法使用我链接到的文档中概述的 add_user_to_discourse_groupremove_user_from_discourse_group 方法。您需要做一些事情,例如设置一个 Discourse Webhook,在用户被添加到 Discourse 群组时触发,然后在 WordPress 上添加一些代码来处理该 Webhook。要将群组从 WordPress 同步到 Discourse,当 WordPress 上发生更改时,您需要向 Discourse 发出 API 调用来更新用户的群组。因此,如果您使用 WordPress 作为 DiscourseConnect 提供商,那么一些相对容易实现的事情,如果使用 WordPress 作为 DiscourseConnect 客户端,可能会有些复杂。

1 个赞
594

除非使用自定义登录,因为通常在使用 WooCommerce/memberships/LLM 时会出现这种情况,并且默认情况下不会强制只使用 Discourse SSO 作为提供商,这需要一些自定义工作。

595

有几个可能的问题,一个与缓存有关,另一个与某些插件添加的登录重定向有关。遇到这些问题的任何人都可以到 Support > WordPress 类别中提问。这些问题通常很容易解决。

596

我完全忘了回复:确实,它的作用与描述的完全一样,只影响手动群组。

597

你好 @simon

我认为我真的需要一些关于我的 SSO 功能 POC 探索中的 404 响应的帮助。我为这个问题花了一整天的时间,但仍然无法弄清楚问题所在。我能够:

  1. 启用 discourse_connect
  2. 将 discourse_connect_url 设置为 https:/ /localhost:4200/login
  3. discourse-connect secret:20’s (1) 1111111111111111111 保持简单

然后在我的 Angular 应用的登录页面,我通过以下代码发送了这个请求:

This image displays a snippet of JavaScript code that performs an API request to create a new user record on Neuralink.com with specific details and authentication setup. (Captioned by AI)
This image displays a snippet of JavaScript code that performs an API request to create a new user record on Neuralink.com with specific details and authentication setup. (Captioned by AI)685×801 29.8 KB

但我收到了 404 未找到的响应。

根据我的理解,在向 admin/users/sync_sso 端点发送 POST 请求时,如果用户不存在于 discourse 中,它应该根据 user_id 和 email 创建一个新用户,然后返回的结果应该是一个用户对象,而不是一个状态码为 404 的空对象。
我也检查了日志,它没有提供任何与此失败响应相关的​​信息。

提前感谢!