Edit for future readers: This has been solved. It was a bug with Discourse social logins and
fullscreen_login. For those using Keycloak as their SSO provider like me, make sure you:
- Set your valid redirect URI to
- Set your Root URI to the same thing.
- Make sure the client is
- Use the client ID you set in Keycloak as the client ID in Discourse. So if you named the keycloak client
discourse, that’s what you’re calling it in Discourse.
- In Discourse, make sure you set your OpenID discovery document url to
- You can find your Client Secret in the Keycloak admin panel for your client under “Credentials.”
- Make sure “Enable Authorization” and “Enable Service Accounts” are both enabled in the Keycloak client, and “Enable Consent” is false.
- Set your Authorization Scopes in Discourse to
openid profile email
- You don’t need to worry about Token Scopes.
- Disable ALL other login methods in Discourse including
local loginsif you want it to only use Keycloak. For things like Google, Twitter, etc. logins, you can set those up inside Keycloak.
- If all goes well, both the Sign Up and Log In buttons in Discourse should redirect the user to your Keycloak realm to log in. Happy single-signing-on.
Hey there. I’m in the process of moving my community from the Watercolor Games community (whose domain is literally going to expire in a few days at the time of writing this) to the new Bit Phoenix Software forum.
With this move, I’m trying to set up a way for community members to sign in to both Discourse and our MediaWiki instance using a Bit Phoenix Account. The wiki is working perfectly however, Discourse, not so much.
I’m using Keycloak as my identity provider and it’s working fine. I have a discourse client set up in it, and I have Keycloak configured as the openid discovery url in my Discourse. I have all other authentication methods in Discourse completely disabled so the user gets redirected to the Bit Phoenix Account login page, a.k.a Keycloak. That works.
I can also log in to my existing administrative user account through Keycloak and it gets me onto the account I created in Discourse during installation - so I still have full admin access to the forum. Awesome!
But, in testing, I had one of the people who moderates the old forum sign in using THEIR Bit Phoenix Account (knowing they wouldn’t possibly have a Discourse account in the new forum yet) and while they can successfully log in to Keycloak, they do not get logged into Discourse (and don’t receive any errors.)
Things I have tried
Enabling verbose logging in OpenID Connect extension
Shows me the moderator logging in and I can see all their keycloak user info. They are indeed logged in according to the logs.
Looking in the Sessions list in Keycloak for the
I can see both my administrative session and the moderator’s user session in the list under
discourse. Keycloak sees us both as logged in.
No effect whatsoever as I figured.
Enabling/disabling/fiddling with various settings pertaining to
invite_only, etc. to control user registration
Only affects Discourse UI. Some settings hide and show the Signup button, some disable reading of posts anonymously, none fix the issue.
The Signup button just takes you to the Keycloak UI anyway.
- User goes to wiki or discourse forum
- they’re not logged in, they can read but can’t post
- they decide to log in so they click “log in” in the wiki or discourse UI
- they are prompted for a username and password for their Bit Phoenix account
- they are given the choice to create a new BP account here
- on doing that, they are forced to verify their email
- on success they are redirected back to Discourse
- if an existing Discourse user can be found, great. Sync their profile and log them in.
- If not, create the new Discourse user based on their Bit Phoenix account and log them in as if they just signed up for Discourse. This doesn’t happen.
Any help is GREATLY appreciated on this one, even more so than usual. This is pretty time sensitive - I have no idea when the Watercolor Games website is gonna drop off the face of the earth suddenly and I wanna have all this stuff set up right then and there so the roll-out is nice and easy. Thanks so much in advance!