We’re using the Discourse Oauth2 Basic plugin to do SSO via our API, we’d like to add functionality and we think it might be useful to other sites too.
During the account create process, once an OAuth2 token is obtained the plugin retrieves account data like email and uuid from an API endpoint
oauth2_user_json_url the admin specifies in Discourse.
As far as I can tell though, the
oauth2_user_json_url endpoint is only contacted once during sign-up.
Add a user data attribute to pull from
oauth2_user_json_url: email_verified - Admins tell the plugin where to look for email, full name, user id, username and avatar in the oauth2_user_json_url response, we’d like to also specify an
email_verifiedboolean field meant to indicate whether a user has confirmed their account at the OAuth2 provider.
Add option to continue to check
Here are three scenarios where this would be useful:
Check if Email is Verified - Keep the Discourse account unactivated until Discourse receives an
email_verified=trueresponse from the API. Show the user a pending state with a “refresh” link that re-checks.
Check for updated user email, account state upon login - When a user logs in via the OAuth2 Provider, re-contact the
oauth2_user_json_urlendpoint and update their Discourse email address if it has changed at the provider, and deactivate their account if the API returns a 401 response.
- Check API periodically for email, account state updates - I am least sure about this one, but I want to solve the problem where a user deactivates their account at the OAuth2 Provider, and doesn’t log back in to Discourse. In that case we still want Discourse to (eventually) get the news that the user is inactive, which could happen via a 401
- Check if Email is Verified - Keep the Discourse account unactivated until Discourse receives an
There are a couple other admin options that would be required along with this, like preventing a user from changing their email in Discourse and allowing admins to specify a URL to send users to where they can change their email at the OAuth2 provider.