Summary | Discourse OpenID Connect allows an OpenID Connect provider to be used as an authentication provider for Discourse. | |
Repository Link | https://github.com/discourse/discourse-openid-connect | |
Install Guide | How to install plugins in Discourse |
Features
The plugin aims to provide a minimal implementation of the specification. Specifically, it supports the âAuthorization Code Flowâ. To get started, follow the plugin installation instructions, or contact your hosting provider.
Our oauth2-basic plugin can be used for connecting to some openid-connect providers (OpenID Connect is based on OAuth2). However, this plugin should require far less manual configuration, and can make use of the JWT âID Tokenâ if a JSON API is not available.
Configuration is automatically performed using an OpenID Connect Discovery Document. According to the specification, this should be located at <issuer domain>/.well-known/openid-configuration
, but Discourse supports any path to allow for non-compliant implementations (e.g. Azure B2C). The discovery document is cached for 10 minutes, to improve performance on high-traffic sites.
If the discovery document includes a userinfo_endpoint
parameter, then the plugin will use that to collect user metadata. If not, the plugin will extract metadata from the id_token
(A JWT) supplied by the token endpoint. The plugin DOES NOT verify the authenticity of the JWT signature, as this would significantly increase complexity. This decision is supported by the specification:
If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature.
Configuration
Basic Configuration Options
-
openid_connect_enabled:
Enable OpenID Connect authentication -
openid_connect_discovery_document
: OpenID Connect discovery document URL. Normally located athttps://your.domain/.well-known/openid-configuration
-
openid_connect_client_id
: OpenID Connect client ID -
openid_connect_client_secret
: OpenID Connect client secret -
openid connect rp initiated logout
: Redirect the user to end_session_endpoint after logout. Must be supported by your identity provider and included in the discovery document. -
openid connect rp initiated logout redirect
: (optional) The post_logout_redirect_uri which will be passed to the logout endpoint. If provided, it must be registered with the identity provider. -
openid_connect_authorize_scope
: The scopes sent to the authorize endpoint. This must include âopenidâ -
openid_connect_use_pkce
: Enable Proof Key for Code Exchange (PKCE) for OpenID Connect authentication. -
openid_connect_verbose_logging
: Log detailed openid-connect authentication information to/logs
. Keep this disabled during normal use.
Advanced Configuration Options
-
openid_connect_token_scope
: The scopes sent when requesting the token endpoint. The official specification does not require this. -
openid_connect_error_redirects
: If the callback error_reason contains the first parameter, the user will be redirected to the URL in the second parameter. Used for unusual implementations that send errors in response to user input (e.g. Azure B2C) -
openid_connect_allow_association_change
: Allow users to disconnect and reconnect their Discourse accounts from the OpenID Connect provider
Example setup
Here we will set up the openid-connect plugin to connect to Googleâs OpenID Connect provider. This replicates functionality that already exists in the core of Discourse, but it serves as an accessible example.
-
Head to https://developers.google.com/identity/protocols/OpenIDConnect and follow the instructions to obtain OAuth Credentials.
-
On the same page, follow the instructions to add a redirect URI. This should be
https://<your_forum>/auth/oidc/callback
(without a trailing slash) -
Go to your Discourse site settings and search for âopenid_connectâ
-
openid connect enabled
: -
openid connect discovery document
:https://accounts.google.com/.well-known/openid-configuration
-
openid connect client id
:<client-id>
-
openid connect client secret
:<client-secret>
-
openid connect authorize scope:
openid email
(with a space in between)
-
-
Youâre done. The âLogin with OpenID Connectâ button will now log in using Google . These same steps can be applied to other providers, with very minimal changes.
Debugging
In addition to the verbose_logging
setting described above, you can access data about OIDC associations using the data-explorer plugin:
SELECT user_id, provider_name, provider_uid
FROM user_associated_accounts
WHERE provider_name = 'oidc'
Or on the rails console:
User.find_by_username("david").user_associated_accounts.where(provider_name: 'oidc')
Provider Specific Notes
Please feel free to update this if you find any provider-specific quirks relating to this integration:
Azure AD
Add the email
scope, and make sure youâre using the version 2 endpoint configuration document. For example
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
Azure B2C
The discovery document URL details can be found here: Web sign in with OpenID Connect - Azure Active Directory B2C | Microsoft Learn
To make emails work:
Yahoo
-
Head to Yahoo and create a new app
-
Enter the Application Name, and set the callback domain to your forum domain (e.g.
meta.discourse.org
) -
Under API Permissions, choose Profiles: Read/Write Public and Private. This is the only way I know of to obtain the user email address
-
Save the app
-
In the Discourse OIDC settings, set the discovery document to
https://login.yahoo.com/.well-known/openid-configuration
-
Enter the client ID and secret from Yahoo
-
Enable the OIDC plugin
AWS Cognito
- Go to Cognito and select or create a new user pool.
- Define an app in App clients.
- Leave everything to default, but change Auth Flows Configuration to only select ALLOW_REFRESH_TOKEN_AUTH.
- Go to app client settings and select the new app.
- Change the callback URL to https://yoursite.example.com/auth/oidc/callback.
- Only check the Authorization code grant flow among âAllowed OAuth Flowsâ.
- Check all scopes needed (I have all checked).
Okta
-
Configure Discourse with your Okta app client ID and secret
-
Set the discovery document URL to
https://{your-app}.okta.com/.well-known/openid-configuration
-
In Discourse, set the
openid connect authorize scope
toopenid email
Hosted by us? This plugin is available on our Business and Enterprise plans. OAuth 2.0 & OpenID Connect Support | Discourse - Civilized Discussion
Last edited by @KhoiUSA 2024-12-11T21:12:15Z
Check document
Perform check on document: