Stop Discord prompting for auth on every login

Hi there!

I’ve setup discord login on my self hosted installation. It works pretty great…except for one small thing.

When a user signs in with discord, they are taken to the authorization page every time, meaning they have to agree the authorization anytime they login. From my understanding, this should just be a one step process upon the very first time they connect discord login with discourse.

Anyway how to fix this? I followed the documentation.

3 Likes

Is anyone facing this issue?

2 Likes

Yes, I tried on my instance and I can replicate the issue.

2 Likes

Do you see the same behaviour on other sites which offer “login with Discord”? If so, it might be the expected behaviour of the Discord login system, rather than a Discourse-specific issue.

This is not the intended behavior. Other sites and forums I use login with discord only requires a one time authentication. After that, any time you login with discord you’re automatically logged in without going to the auth page.

It has to do with Discourse.

Is there a public example you can share so we can try it out and compare the implementation?

I’m not sure what you mean by public example, I apologize.

However this is not the norm. It should only require discord authentication only the very first time.

I mean:

Can you share a link to one of them? Then we might be able to look at how they’re implemented, and adjust discourse to match.

Here is a message board I frequent, but it is not discourse software.

https://famiboards.com/

1 Like

I wonder if it’s because of the missing prompt param to none in the auth URL?

prompt controls how the authorization flow handles existing authorizations. If a user has previously authorized your application with the requested scopes and prompt is set to consent , it will request them to reapprove their authorization. If set to none , it will skip the authorization screen and redirect them back to your redirect URI without requesting their authorization

1 Like

I think you may be onto something. I found this.

Perhaps this could be updated within Discourse? As far as I know, this is not something I can do in my administrative panel, or the discord dev portal.

2 Likes

There is a prompt setting for Google Auth in Discourse, and I think it would be reasonable to add one for Discord.

1 Like

I just noticed this too.

Do you happen to know where the file for this login setup is installed within Discourse? Thinking about placing

"upstream_params": {
			"prompt": {
				"value": "none"
			}
		},

within the file and rebuilding, seeing if that fixes it.

Edit: On second thought, I don’t think I can locate the file that would allow me to implement this. I think a fix from Discourse is what is necessary in order to get this functioning as intended.

Since I have the issue on my instance:

Yes, wait news from the team :+1:

1 Like

Cool. Do I need to do anything else (but wait for an update?)

I’m assuming there is no real ETA for a fix like this, and it likely depends on an urgency status flow. It’s just a minor inconvenience, I suppose. But it would be awesome to see fixed!

A change to add prompt=none sounds good to me. If someone can write, test and make a PR, that will help to expedite the change.

The relevant file would be this one, but I don’t know off-hand exactly what change would be required.

2 Likes

Looking through the file, I added

option :authorize_params, prompt: 'none'

underneath

option :authorize_options, %i[scope permissions]

on my self hosted install.

It sort of works…, but not as we’d like.

It still takes you to the discord auth page, however, the user no longer has to click authorize. The page will reload then take you back to your discourse page.

One step forward, another step backward. :melting_face:

Edit: I see @Arkshine and I tested the change and got the same result.

1 Like

I did a quick test (https://discourse.arkshine.dev/):

It shows the auth page but redirects automatically.

1 Like

Even with the change, it still proceeds you to the discord authentication page - which it shouldn’t do (although this time you don’t need to manually press authenticate).

Submitting a PR with the suggested change unfortunately would not fix the issue.