SSO JWT - Passing Groups

arivanandan · February 11, 2020, 6:12am

I use https://github.com/discourse/discourse-jwt for auth with a custom JWT service.

It works for logging the user in but passing the key groups doesn’t seem to be doing anything. I’ve looked through the code for ManagedAuthenticator and don’t see anything pertaining to groups either.

Is it missing something or is my understanding of this incorrect?

Thanks!

david · February 11, 2020, 9:14am

You’re not missing anything - the JWT plugin doesn’t support passing groups. Making it possible would require some development work on the plugin.

arivanandan · February 14, 2020, 1:51pm

@david How hard do you think this is to do for someone who hasn’t written plugins? Is it as simple as fetching by name, the groups that come from the JWT, from discourse and assigning the query result (of the group objects) to user.groups? I’ve some familiarity with the plugin (simple as it is) and might be able to do this.

Also, should I even bother with this? If I have a JWT in hand can I authenticate through OpenID Connect?

david · February 14, 2020, 1:57pm

It depends how you want it to work… you probably want to be able to create normal groups in Discourse as well, without the JWT randomly removing members from them. In our native Discourse SSO system, we solve this with two parameters: “add groups”, and “remove groups”.

https://github.com/discourse/discourse/blob/master/app/models/discourse_single_sign_on.rb#L159-L179

In the JWT plugin, you would probably add this logic in the after_authenticate function of the authenticator. Make sure you call super, and return its response, so all the existing stuff still works correctly. An example of that kind of override is here

arivanandan · February 14, 2020, 2:01pm

Great! That gives me what I wanted; I should be able to figure the rest out. Thanks!

wlandgraf · February 26, 2020, 4:41pm

Did you move forward with this? I wonder how I can do a SSO using just JWT?

arivanandan · February 28, 2020, 4:30pm

The discourse-jwt plugin works. Although, it seems it’s designed to only work with only the HS256 algorithm for whatever reason. It’s simple enough to make it work with others.

You can look at the repo I played around with https://github.com/arivanandan/discourse-jwt/blob/master/plugin.rb

system · March 29, 2020, 4:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSO with Roles translating to Groups Feature	2	1468	February 10, 2020
How to hook up JWT Single Sign On to Discourse Support	4	4266	April 7, 2021
Mapping claims from JWT to a Discourse User via login plugin SSO oauth2 , openid-connect	5	309	March 19, 2024
Discourse SSO with OAuth2 Support	5	2707	December 3, 2019
Discourse Wordpress plugin SSO wishlist WordPress	3	1290	February 22, 2017

SSO JWT - Passing Groups

Related Topics