I’m working on a website with django CMS.
I would like to link the user accounts of my site to discourse.
In the first sept, I wish understand the différence between SSO and Oauth2 I thought it was the same thing, but there are two tools, so it can’t be the same thing.
Thanks
Jumping in as I also need some clarifications about this.
Is there any way I can enable SSO with OAuth2? My identity provider has all the configuration to set up OAuth2, like oauth2 client id, oauth2 client secret, oauth2 authorize url, oauth2 token url, oauth2 user json url, information paths to the correspondent piece of data in the returned json. But I can’t seem to enable SSO to rely on OAuth2.
I believe we had a customer with a single oAuth 2 provider, so we forced it through rather than making the user pick from a menu of … one item … as I recall @sam worked on it but I may be mistaken.
Ah right! When login in that happens, I kept thinking about creating a user, which after OAuth2 comes a user creation dialogs shows up. I guess I want the SSO flow as ideally, the user should not need to create an account again.
I will need to see what can I do. Auth0, the identity provider I use, does not seem to have a clear path to hook up SSO in a straightforward way.
I definitely want to get this improved but it is not slotted quite yet. @david do you want to take this TODO? Not urgent but some time in the next 6 months.
Also, something I’m missing for OAuth2 / OIDC as compared to SSO is the ability to utilize group information. If I get to make the bridge, ill add that ability in the bridge by passing such info along.
@sam Is there any update on this? It seems, even though we only have 1 login method, you still need to click login get access to the forum. I think SSO is an alternative, but it requires an extra layer in your infrastructure and thus adds complexity, so I’m debating whether we should go for that or not.
If there is only one external authenticator enabled and local logins are disabled and the site requires login, then users will be directed straight to the external authentication page. This exactly matches the implementation of our Discourse-native SSO.
I can’t think of a reason why anyone wouldn’t want this, so this is now the default behaviour.