SSO vs Oauth2 difference?

Hello

I’m working on a website with django CMS.
I would like to link the user accounts of my site to discourse.

In the first sept, I wish understand the différence between
SSO and Oauth2 I thought it was the same thing, but there are two tools, so it can’t be the same thing.
Thanks

SSO, when activated will be the only way to log in.

oAuth2 can be one of the login methods, like having the option to login with oAuth2 and Facebook and local password.

SSO also provides more functionality, like receiving bios, avatars, group membership, etc.

11 Likes

Jumping in as I also need some clarifications about this.

Is there any way I can enable SSO with OAuth2? My identity provider has all the configuration to set up OAuth2, like oauth2 client id, oauth2 client secret, oauth2 authorize url, oauth2 token url, oauth2 user json url, information paths to the correspondent piece of data in the returned json. But I can’t seem to enable SSO to rely on OAuth2.

Thanks!

I believe we had a customer with a single oAuth 2 provider, so we forced it through rather than making the user pick from a menu of … one item … as I recall @sam worked on it but I may be mistaken.

Yeah if there is only one way to login we bypass a screen so you don’t have to “click” and then “click” when logging in.

Our default https://github.com/discourse/discourse-oauth2-basic supports a lot of stuff, but is not as rich as SSO. So it depends on how much information you want to drive from oAuth2.

If basic is not good enough you will need to build another custom plugin to fish out the rest of the fields or do a PR to our official basic plugin.

3 Likes

Thanks for the explanation.

I would very much like to see how can I bypass the unnecessary screen if the code is available somewhere.

Anyway, between this and Login to Discourse with custom Oauth2 provider answer, I think I have a clear path now. Feel free to continue asking @remy_dev if is not enough for you :slight_smile:

Thanks again!

i.e. if you disable ALL other authentication methods except one, that should happen. Don’t forget “Local Login”!

3 Likes

Ah right! When login in that happens, I kept thinking about creating a user, which after OAuth2 comes a user creation dialogs shows up. I guess I want the SSO flow as ideally, the user should not need to create an account again.

I will need to see what can I do. Auth0, the identity provider I use, does not seem to have a clear path to hook up SSO in a straightforward way.

Thanks again, again :stuck_out_tongue:

Have you seen:

Definitely tried it: https://github.com/auth0/discourse-plugin/issues/20. :+1:

2 Likes

One big difference that bothers me is:

  • When using SSO, and login required if you go to the forum home, the login process starts automatically.

  • If you have only one oAuth2 login method, and login required, navigating to the forum home displays a page asking you to log in.

6 Likes

Interesting, yeah that is a bug with login required that we should fix

4 Likes

Great summary! This is exactly what I hope to resolve as well.

@Falco / @sam are you aware of any updates on this?

I definitely want to get this improved but it is not slotted quite yet. @david do you want to take this TODO? Not urgent but some time in the next 6 months.

4 Likes

I will probably attempt to workaround this for now by refreshing https://github.com/ComputerScienceHouse/DiscourseOIDC.

Also, something I’m missing for OAuth2 / OIDC as compared to SSO is the ability to utilize group information. If I get to make the bridge, ill add that ability in the bridge by passing such info along.

3 Likes

@sam Is there any update on this? It seems, even though we only have 1 login method, you still need to click login get access to the forum. I think SSO is an alternative, but it requires an extra layer in your infrastructure and thus adds complexity, so I’m debating whether we should go for that or not.

1 Like

Nothing yet, but it is still on our list to implement. I will take a look at it this week and see how much work it will be.

6 Likes

This is now implemented:

https://github.com/discourse/discourse/commit/0a14b9b42a2f597f5df26be97296a4d6909f6a34

If there is only one external authenticator enabled and local logins are disabled and the site requires login, then users will be directed straight to the external authentication page. This exactly matches the implementation of our Discourse-native SSO.

I can’t think of a reason why anyone wouldn’t want this, so this is now the default behaviour.

cc @consideRatio @Joralf

9 Likes