It works for logging the user in but passing the key groups doesn’t seem to be doing anything. I’ve looked through the code for ManagedAuthenticator and don’t see anything pertaining to groups either.
Is it missing something or is my understanding of this incorrect?
@david How hard do you think this is to do for someone who hasn’t written plugins? Is it as simple as fetching by name, the groups that come from the JWT, from discourse and assigning the query result (of the group objects) to user.groups? I’ve some familiarity with the plugin (simple as it is) and might be able to do this.
Also, should I even bother with this? If I have a JWT in hand can I authenticate through OpenID Connect?
It depends how you want it to work… you probably want to be able to create normal groups in Discourse as well, without the JWT randomly removing members from them. In our native Discourse SSO system, we solve this with two parameters: “add groups”, and “remove groups”.
In the JWT plugin, you would probably add this logic in the after_authenticate function of the authenticator. Make sure you call super, and return its response, so all the existing stuff still works correctly. An example of that kind of override is here
The discourse-jwt plugin works. Although, it seems it’s designed to only work with only the HS256 algorithm for whatever reason. It’s simple enough to make it work with others.