User invitation, OAuth and password


(Juliendf) #1

Hi guys,

I configured my Discourse set up to be able to use OAuth authentication from Google.
I want to keep it private so no sign up authorise. The user would only be allowed to sign up via invitation.
The goal would be to allow users to use google account or local account.

It works pretty well except that when I send an invite to a Google email, the user signs up and enter a password for the account. Then he is able to log in user Oauth or the password.

I would like to disable the use of a password for this type of account on only keeps it for local users.

Is that possible?

I hope it makes sense, thanks all!


(Bhanu Sharma) #2

This may be possible But I’d highly suggest against it.

If You don’t want them to remember the password then maybe just ask them to generate a random string from random.org and setting it as their password. that way, they have a password which they don’t remember and hence, the only choice they have is to use Google account to sign in.


(Juliendf) #3

The strange thing is that, when you make discourse public, users can register using google account without entering any password.

Therefore maybe a solution would be to open to public but enable : “Staff must approve all new user accounts before they are allowed to access the site”

But it’s would be a workaround :confused:


(Bhanu Sharma) #4

I’ve never really tested that Usecase so I Can’t comment much about it but Wherever I’ve made private discussion boards using discourse, those were linked to SAML or IAM based enterprise solutions.

Google, on the other hand, works fine on our public facing forum.

Your workaround is a lot of manual work to ask for …


(Jay Pfaffman) #5

No. You can disable local logins, but if you have multiple login types enabled, a user can use any of them to log in.

What problem are you trying to solve? If you want the user to be able to log in why do you not want them to be able to choose whether to use the Google login or not?

To keep your forum private you should enable the require login and " must approve users" site settings.


(Juliendf) #6

Thanks for your reply Jay.

The only reason to disable password for Google user is to avoid confusion. Right now google user can log in using OAuth or the local password which seems weird to me !

But if I disable local account then I can’t send invite anymore and can only have users with Google account (which is not what i want)


(Bhanu Sharma) #7

So have local accounts and drop the idea of Google account altogether or as I suggested earlier, let them test their typing skills by entering a forgettable password and use Google account forever.


(Juliendf) #8

Yes sure but I change my requirements to align with the solution :slight_smile:


(Jay Pfaffman) #9

It would be more confusing if two login methods were offered but there was no way to guess which one would work. As long as the social login’s email address matches the account email address, everything works just fine. Thousands of sites use this feature and you are the first person I remember seeing thinking that it’s confusing that all of the login methods work.


(Juliendf) #10

I may be unclear @pfaffman @itsbhanusharma and I apologise for that.
I’m not trying to complain or discredit Discourse at all I’m just having a use case I’m trying to address.

If you take this discourse website for example.
When you sign up using a google account no password is asked and then you log in using your google account. Perfect! Same as mine!

Where it’s different is when you receive an invite because of a private forum.
You click on the link, create your account using your google email address and … you enter a password.

Then (this is the confusing part for me) you can log in using OAuth (no password) or the local password you enter when you signed up.

The thing is only that I’d like to have the same sign-up mechanism (google account and no password) when you receive an invite or sign up on a public website.

I hope it makes more sense.

Thanks both for participating in this discussion :slight_smile:


(Bhanu Sharma) #11

That is supposed to happen.

Because
In case A,
System tries to authenticate against Google but finds out that user already exists so it lets them in

In case B
System checks login credentials in database and validates then if it is Good Then let’s the user sign in.

What is confusing in that?

About invites, that needs a local account to be created or else how would discourse server know that the invite was accepted?

In all the cases, there has to be at least one central database to authenticate against and in Your case, it’s discourse.

There is no confusion I think. You’re just complicating things by overthinking.


(Juliendf) #12

Well maybe but still having 2 methods of authentication for the same account does not seem right to me.

I’ll use it as it is and let you know if my users “overthink” too :wink:

Thanks