SSO JWT - Passing Groups

I use GitHub - discourse/discourse-jwt: Discourse Auth support for JSON Web Tokens (JWT) for auth with a custom JWT service.

It works for logging the user in but passing the key groups doesn’t seem to be doing anything. I’ve looked through the code for ManagedAuthenticator and don’t see anything pertaining to groups either.

Is it missing something or is my understanding of this incorrect?


1 Like

You’re not missing anything - the JWT plugin doesn’t support passing groups. Making it possible would require some development work on the plugin.


@david How hard do you think this is to do for someone who hasn’t written plugins? Is it as simple as fetching by name, the groups that come from the JWT, from discourse and assigning the query result (of the group objects) to user.groups? I’ve some familiarity with the plugin (simple as it is) and might be able to do this.

Also, should I even bother with this? If I have a JWT in hand can I authenticate through OpenID Connect?

It depends how you want it to work… you probably want to be able to create normal groups in Discourse as well, without the JWT randomly removing members from them. In our native Discourse SSO system, we solve this with two parameters: “add groups”, and “remove groups”.

In the JWT plugin, you would probably add this logic in the after_authenticate function of the authenticator. Make sure you call super, and return its response, so all the existing stuff still works correctly. An example of that kind of override is here

1 Like

Great! That gives me what I wanted; I should be able to figure the rest out. Thanks!

1 Like

Did you move forward with this? I wonder how I can do a SSO using just JWT?

The discourse-jwt plugin works. Although, it seems it’s designed to only work with only the HS256 algorithm for whatever reason. It’s simple enough to make it work with others.

You can look at the repo I played around with discourse-jwt/plugin.rb at master · arivanandan/discourse-jwt · GitHub

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.