Hi,
I enabled the setting “Require authentication to read content on this site, disallow anonymous access”.
I’m making a GET request to the /users/by-external/{EXTERNAL_ID}.json endpoint, and without the above setting enabled, it returns a user perfectly fine. But when I enable the above setting, the GET request returns nothing.
For reference, I have SSO enabled.
Let me know if there’s a workaround or if I’m thinking about this incorrectly.
Thanks in advance!
Also seeing this.
Without knowing how Discourse wants to handle this, it seems like an /admin/users/external/{EXTERNAL.ID}/log_out function would be good to have so you could logout a user by their external ID.
(I’m not a ruby expert so I don’t feel comfortable submitting a pull request for this one)
You’ll need to authenticate/log in to make that request. One way to authenticate is to supply a api_key and api_username, which sounds like what you want here. (The other way is to store Cookies.)
Thanks for getting back to me @riking. I’ve been authenticating for the log out call, since it’s a POST request so I can send the api_key and api_username in the request body. Since this call (/users/by-external/{EXTERNAL_ID}.json) is a GET request, it doesn’t make sense to send those in the request body. I tried sending them as a header in the GET request but it wasn’t working. Does this sound like it might be a bug?
Put them in as GET parameters. ?api_key=asfjkdla&api_username=system.
Wouldn’t that be a security vulnerability?
If the request is submitted over HTTPS, the only logging occurs on the server-side, which knows the key anyways.
You can mitigate by creating a new admin user and generating an API key for them, then always using that as the username.
Closing this. API credentials are now passed in through http headers.