OpenID Connect Authentication Plugin

Thanks for helping out! Really appreciate it. I just tested it and it seems there’s multiple Content-Type headers being returned. Still, last one is application/json.

How does your configuration from within within Discourse look? This is from mine.

Not much different ;). Note that WHMCS uses a non-standard discovery url.

Perhaps a good strategy to debug this would be to inspect the behavior of your OIDC endpoints and compare with others?

How does your OIDC provider compare to others? Perhaps try using a browser inspector and watch for the content-type header in the responses during the authentication flow for example.

Here is one I found by googling OIDC playground on google:
https://micah.okta.com/oauth2/aus2yrcz7aMrmDAKZ1t7/.well-known/openid-configuration

Which was described with demo credentials here:
https://okta-oidc-fun.herokuapp.com/continue?code=SqiVwZn0UNAWXT6NY3gh&state=dashing-ray-courageous-year

I suspect this is the issue. The server should not return multiple content types for a single response. Have you raised this issue with WHMCS?

6 Likes

Hey @louis-lau – did you ever get this up and running? SSO for WHMCS + Discourse? Maybe you have seen this yet? WHMCS Single Sign-On Developer Guide - WHMCS Documentation

I don’t think see anything on WHMCS forums eithers. I even tried searching with DDG / Google using “site:whmcs.community discourse” - no luck.

I would expect that the popup don’t opens to login would close when it is successful causing the parent frame to be refreshed. This doesn’t happen. I’m redirect and logged in within the popup. Is there a way to fix this?

This plugin shouldn’t open any popups. Have you customised it in some way?

1 Like

That would explain why it stays in the pop up. I guess an ex-colleague made a change, but I can not find it at all. We use the SAML plugin as well, that one opens in a popup also. Even though full_screen_login is turned on. If you have any pointer on were to look that would be greatly appreciated. But thanks for the help in any case!

Try authenticating while in safe mode. That should rule out any customisations made using themes, or client-side plugins.

Are you using the official versions of discourse & the plugins? Or are you running forked versions with changes?

5 Likes

No to all of that. Only official version, latest versions of everything. Safe mode didn’t change it. From debugging I can see that the full_sceen_login is overridden in ember somehow. Loging in with openid in full screen does work when I disabled all other log in options. But with, for instance, ’ enable google oauth2 logins’ enabled it does not work. The login windows for both options open in a pop up. With the Google Log in it refresh the parent window though.

I’d like to allow users to specify their own authentication provider, as it was possible with OpenID-2.0, I believe this is specified as a possibility for OpenID-Connect as well. What would it take to add such support to thus plugin?

Whilst it is techncially possible, I don’t know of any OpenID connect clients which allow the user to specify arbitrary identity providers. Allowing that makes it very easy for users to supply ‘fake’ information.

3 Likes