With SSO, user sees no message when account needs approval

(Themightychris) #1

If SSO is enabled and must approve users is enabled, users logging in for the first time will just see the Discourse page flicker without any change or message. Their account works correctly after being approved, but it is not apparent until then that they are waiting for that. Discourse should handle displaying a message to the user if SSO was successful but their Discourse account is pending approval.

(Jeff Atwood) #2

I am not sure this is a valid combination of settings. SSO implies the user is pre approved from the parent site.

(Themightychris) #3

In my use case I’m trying to provide unified identity for a small network of Discourse sites. I have several Discourse instances configured to SSO into the same identity providing website, and some of the Discourse instances want to approve who from the network joins their forum. The approve system in Discourse works quite nicely and I’d prefer to leave it to the moderators of each instance to approve memberships, with our identity provider only providing identity and not keeping track of which forums the user should have access to.

Discourse seems to already handle this combination of settings correctly as far all the workflows go, I tested it thoroughly. The only issue is the silent discarding of valid SSO payloads before returning the user to the same page they just clicked login from. To the incoming user the screen just flickers when they keep clicking “Log in” like nothing happened, but behind the scenes Discourse accepted the SSO payload, created a user, and put them in pending. Some sort of message to the effect of “Your account is pending approval” like they would see using local login would enable this combination of settings to work smoothly.

(Themightychris) #4

@codinghorror I found a TODO placeholder for this in the code: discourse/session_controller.rb at master · discourse/discourse · GitHub

(Themightychris) #5

Here’s a simplistic fix that seems to solve the issue well enough for now: respond with error when user signs in via SSO to an account pending approval by themightychris · Pull Request #2961 · discourse/discourse · GitHub

(Full disclosure: my first ever line of Ruby)