Hi,
today I’ve tried to extend the authentication on our forum to AzureAD / O365. (I already have SAML to our internal AD running, but more and more users migrate to AzureAD).
So I’ve tried the 3 providers that can do this:
https://github.com/discourse/discourse-azure-ad
https://github.com/discourse/discourse-openid-connect
and
https://github.com/discourse/discourse-plugin-office365-auth
Sadly, discourse-azure-ad didn’t do anything - it did not even show a button at the login/register screen.
openid-connect did work, but due to the nature of the Azure-Endpoint for “all tenants” ( https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration ) that returns a …/{tenantid}/… in the URI for “issuer” that only works for Users in our own AzureAD/Office365 tenant (and not for users in other tenants).
So, the Office365-Auth Plugin was the last one left.
It worked (also for Users from other AzureAD-Tenants), but had a bug that when the Email of the AzureAD-Login was not the primary email of the (already existing) Discourse-User - Login failed:
I.e.:
I needed to add the second address so that the login was matched to the user when registering - but as
long as the address was “secondary”, login failed with an error (“you have no rights to do this”) (registering worked!).
Also, the provider did not allow me to “associate” the new login from my user screen (cool new feature ).
I quickly identified the login-problem with the email to this part of the Code:
https://github.com/discourse/discourse-plugin-office365-auth/blob/50e21994159574c29f66dfa272f643da451e37d2/plugin.rb#L21-L34
I’m not familiar enough with ruby and discourse to definitely tell that, but I think this code will try to update the primary email whenever one of the emails does not match (which will fail when more than one email is present and the primary is not the one from O365).
Nevertheless, openid-connect did this part correctly and even provided a setting to update the mail (or not) and to associate the login from the User screen. So I shamelessly copied the relevant lines from openid-connect to office365-auth, commented the “after_authenticate” in office365-auth and had a working login from every AzureAD-Tenant and an association if the email was any of the emails on the user.
The relevant changes are in my Github repository and I will create a pull request. But one problem is still left
As I added the ability to connect/revoke, now the provider is visible in the User profile - but is missing it’s name?!:
How do I add this? Any links to the relevant documentation? It does not seem enough to enter it into the client.en.yml … or I’m missing something else.
After I got this fixed, I’d be happy to do a pull request for the updated/fixed provider …