spinen / laravel-discourse-sso Goto Github PK

// Check to see if the user has forum access & should be logged in via SSO
'access' => null,

Could you give a brief explanation of what this setting does?

We currently have it set to null, but SSO from Discourse is working.

Is it to control from our Laravel site whether we want users on an individual basis to have access to Discourse?

Hi there, I have followed the instructions from the README and I'm afraid to say that I can't see the SSO route in the available list of routes - the same issue occurs if I clear the route cache too.

I am trying to install in a Laravel 11 Project with Laravel Jetstream.

After following the guide I get a 404 when attempting to navigate to /discourse/sso. The artisan route:list command lists the following:

  GET|HEAD  / ............................................................... generated::QezdvotXfOs0UY0c
  POST      _ignition/execute-solution ignition.executeSolution › Spatie\LaravelIgnition › ExecuteSoluti…
  GET|HEAD  _ignition/health-check ignition.healthCheck › Spatie\LaravelIgnition › HealthCheckController
  POST      _ignition/update-config ignition.updateConfig › Spatie\LaravelIgnition › UpdateConfigControl…
  GET|HEAD  api/user ........................................................ generated::cgdtJVmQdhBT5fsn
  GET|HEAD  dashboard ......................................................................... dashboard
  GET|HEAD  forgot-password ..... password.request › Laravel\Fortify › PasswordResetLinkController@create
  POST      forgot-password ........ password.email › Laravel\Fortify › PasswordResetLinkController@store
  GET|HEAD  livewire/livewire.js generated::GHPOcWxwNwj6TlXw › Livewire\Mechanisms › FrontendAssets@retu…
  GET|HEAD  livewire/livewire.min.js.map generated::9XHbpXHwm2JZ9I3I › Livewire\Mechanisms › FrontendAss…
  GET|HEAD  livewire/preview-file/{filename} livewire.preview-file › Livewire\Features › FilePreviewCont…
  POST      livewire/update ......... livewire.update › Livewire\Mechanisms › HandleRequests@handleUpdate
  POST      livewire/upload-file . livewire.upload-file › Livewire\Features › FileUploadController@handle
  GET|HEAD  login ....................... login › Laravel\Fortify › AuthenticatedSessionController@create
  POST      login .. generated::6LUmjUsTIEjp4m8a › Laravel\Fortify › AuthenticatedSessionController@store
  POST      logout .................... logout › Laravel\Fortify › AuthenticatedSessionController@destroy
  GET|HEAD  register ....................... register › Laravel\Fortify › RegisteredUserController@create
  POST      register ..... generated::LaoFnGgK22srynpP › Laravel\Fortify › RegisteredUserController@store
  POST      reset-password .............. password.update › Laravel\Fortify › NewPasswordController@store
  GET|HEAD  reset-password/{token} ...... password.reset › Laravel\Fortify › NewPasswordController@create
  GET|HEAD  sanctum/csrf-cookie ....... sanctum.csrf-cookie › Laravel\Sanctum › CsrfCookieController@show
  GET|HEAD  two-factor-challenge two-factor.login › Laravel\Fortify › TwoFactorAuthenticatedSessionContr…
  POST      two-factor-challenge generated::UNYPJXQyuzFLodV4 › Laravel\Fortify › TwoFactorAuthenticatedS…
  GET|HEAD  up .............................................................. generated::JBkvPZDfz1FSukoO
  GET|HEAD  user/confirm-password generated::4UsAH4mCykdiEGdt › Laravel\Fortify › ConfirmablePasswordCon…
  POST      user/confirm-password password.confirm › Laravel\Fortify › ConfirmablePasswordController@sto…
  GET|HEAD  user/confirmed-password-status password.confirmation › Laravel\Fortify › ConfirmedPasswordSt…
  POST      user/confirmed-two-factor-authentication two-factor.confirm › Laravel\Fortify › ConfirmedTwo…
  PUT       user/password ............ user-password.update › Laravel\Fortify › PasswordController@update
  GET|HEAD  user/profile .................. profile.show › Laravel\Jetstream › UserProfileController@show
  PUT       user/profile-information user-profile-information.update › Laravel\Fortify › ProfileInformat…
  POST      user/two-factor-authentication two-factor.enable › Laravel\Fortify › TwoFactorAuthentication…
  DELETE    user/two-factor-authentication two-factor.disable › Laravel\Fortify › TwoFactorAuthenticatio…
  GET|HEAD  user/two-factor-qr-code two-factor.qr-code › Laravel\Fortify › TwoFactorQrCodeController@show
  GET|HEAD  user/two-factor-recovery-codes two-factor.recovery-codes › Laravel\Fortify › RecoveryCodeCon…
  POST      user/two-factor-recovery-codes generated::8hvxXJmnC4rvolSR › Laravel\Fortify › RecoveryCodeC…
  GET|HEAD  user/two-factor-secret-key two-factor.secret-key › Laravel\Fortify › TwoFactorSecretKeyCont

I also see a 404 when attempting to open the Discourse instance after applying the settings to enable SSO. I'm being redirected to http://localhost/discourse/sso?sso=bm9uY2U9ZjI0MmIzZjUzNWNiM2QwN2FhN2ZmYTczZWFmNWZjNmEmcmV0dXJuX3Nzb191cmw9aHR0cCUzQSUyRiUyRmxvY2FsaG9zdCUzQTMwMDAlMkZzZXNzaW9uJTJGc3NvX2xvZ2lu&sig=374fbc2b279cf748779bc9f6bdc2a21f27f6d17b6be9bcff44dcc7e621241862 - the 404 here also suggesting the SSO route has not been registered.

Below is my services config, as far as I can tell I have configured this correctly:

<?php

return [

    /*
    |--------------------------------------------------------------------------
    | Third Party Services
    |--------------------------------------------------------------------------
    |
    | This file is for storing the credentials for third party services such
    | as Mailgun, Postmark, AWS and more. This file provides the de facto
    | location for this type of information, allowing packages to have
    | a conventional file to locate the various service credentials.
    |
    */

    'postmark' => [
        'token' => env('POSTMARK_TOKEN'),
    ],

    'ses' => [
        'key' => env('AWS_ACCESS_KEY_ID'),
        'secret' => env('AWS_SECRET_ACCESS_KEY'),
        'region' => env('AWS_DEFAULT_REGION', 'us-east-1'),
    ],

    'slack' => [
        'notifications' => [
            'bot_user_oauth_token' => env('SLACK_BOT_USER_OAUTH_TOKEN'),
            'channel' => env('SLACK_BOT_USER_DEFAULT_CHANNEL'),
        ],
    ],

    'discourse' => [
        // Middleware for the SSO login route to use
        'middleware' => ['web', 'auth'],

        // The route's URI that acts as the entry point for Discourse to start the SSO process.
        // Used by Discourse to route incoming logins.
        'route' => 'discourse/sso',

        // Optional domain to link sso route when using SSubdomain Routing
        'domain' => null,

        // Secret string used to encrypt/decrypt SSO information,
        // be sure that it is 10 chars or longer
        'secret' => env('DISCOURSE_SECRET'),

        // Disable Discourse from sending welcome message
        'suppress_welcome_message' => 'true',

        // Where the Discourse forum lives
        'url' => env('DISCOURSE_URL'),

        // Api-specific items
        // For logging out of Discourse directly, generate an API key as an "All user key" and put the key & user here.
        // @see https://meta.discourse.org/t/how-to-create-an-api-key-on-the-admin-panel/87383
        'api' => [
            'key' => env('DISCOURSE_API_KEY'),
            'user' => env('DISCOURSE_API_USER'),
        ],

        // User-specific items
        // NOTE: The 'email' & 'external_id' are the only 2 required fields
        'user' => [
            // Check to see if the user has forum access & should be logged in via SSO
            'access' => null,

            // Discourse Groups to make sure that the user is part of in a comma-separated string
            // NOTE: Groups cannot have spaces in their names & must already exist in Discourse
            'add_groups' => null,

            // Boolean for making the user a Discourse admin. Leave null to ignore
            'admin' => null,

            // Full path to user's avatar image
            'avatar_url' => null,

            // The avatar is cached, so this triggers an update
            'avatar_force_update' => false,

            // Content of the user's bio
            'bio' => null,

            // Verified email address (see "require_activation" if not verified)
            'email' => 'email',

            // Unique string for the user that will never change
            'external_id' => 'id',

            // Boolean for making user a Discourse moderator. Leave null to ignore
            'moderator' => null,

            // Full name on Discourse if the user is new or
            // if SiteSetting.sso_overrides_name is set
            'name' => 'name',

            // Discourse Groups to make sure that the user is *NOT* part of in a comma-separated string.
            // NOTE: Groups cannot have spaces in their names & must already exist in Discourse
            // There is not a way to specify the exact list of groups that a user is in, so
            // you may want to send the inverse of the 'add_groups'
            'remove_groups' => null,

            // If the email has not been verified, set this to true
            'require_activation' => false,

            // username on Discourse if the user is new or
            // if SiteSetting.sso_overrides_username is set
            'username' => 'email',
        ],
    ],
];

Based on the README, I'm assuming I don't need to publish anything from the package? I assumed the route would be automatically generated? I couldn't see anything relating to this in an existing issue, but apologies if this has been raised elsewhere and I've missed something.

Hi,

Not a bug, just a question.

We're using subdomain routing in our Laravel application. Our authentication routes are bound to the "account." subdomain.

Accordingly, I'd like to have the sso.login route bound to this subdomain only. It is currently a global route that you can access from any (sub)domain at discourse/sso.

Not sure how to accomplish this.

Thank you!

This library works great, thanks!

I saw your TODO:

• Send log out to Discourse when disabling/deleting the user

Am I right in thinking this means syncing logout isn’t supported at all?

I have an existing /logout that needs to apply to Discourse — so that users can log out app-side.

Any approach recommendations for that?

The Discourse-side logout is easily enough catered for by setting the logout redirect in Discourse, but it looks like Discourse logs out via an auth’d DELETE /*/session which I get a 403 for currently if I ajax it app-side 😕

Would be good if custom middleware was available for the sso route.

Although I mostly only want to check they're activated so using;

'access' => 'hasVerifiedEmail', // using Laravel's MustVerifyEmail contract.

Will work?

Hello and thanks for this awesome package !

I use the latest version of laravel and discourse

My config is set like this :

'add_groups' => 'discourse_groups'

I've add a getDiscourseGroupsAttribute() method on my user model and it seems to be working

Using tinker I confirm having these results

>>> User::find(22)->discourse_groups
=> "manager,parents"
>>> config('services.discourse.user.add_groups')
=> "discourse_groups"
>>> 

The Discourse SSO login works fine, but when I inspect the new user in discourse, I check the last payload under SSO informations and I see this:

add_groups=manager%2Cparents

I correctly have those two groups in my discourse

But the user is not added to them

In composer.json, we're requiring "guzzlehttp/guzzle": "^7.0.1" per the Laravel 8 dependency upgrade guide and "spinen/laravel-discourse-sso": "^2.5.2".

Result of composer update:

  Problem 1
    - Can only install one of: guzzlehttp/guzzle[7.0.1, 6.5.x-dev].
    - Can only install one of: guzzlehttp/guzzle[7.0.x-dev, 6.5.x-dev].
    - Can only install one of: guzzlehttp/guzzle[7.1.x-dev, 6.5.x-dev].
    - spinen/laravel-discourse-sso 2.5.2 requires guzzlehttp/guzzle ^6.4 -> satisfiable by guzzlehttp/guzzle[6.5.x-dev].    - Installation request for spinen/laravel-discourse-sso ^2.5.2 -> satisfiable by spinen/laravel-discourse-sso[2.5.2].

I think the package composer.json may need to be updated to support both guzzle 6.x and 7.x? Not entirely sure of the fix.

Hello,

I followed the instructions:

• composer require spinen/laravel-discourse-sso
• add array to config/services.php
• change settings in Discourse admin panel

I'm logged in to the Laravel application. However, when I visit the Discourse instance, I'm not logged in. If I click "Log In," I'm directed back to account.mydomain.com (with an sso URL parameter) which is the URL where I would log in to Laravel if unauthenticated.

I'm confused about two settings, which I think could be the issue:

• "sso url (Our Laravel's SSO route (FQDN))" - what is meant by "SSO route" here? Do I need to set up a route in the Laravel application where I installed this package, and if so, what should it run when hit?
• "sso key" - is this just a key that I generate? The docs aren't clear what this key is or where it comes from. I generated a random string for this, and put it in Laravel's .env as well as the Discourse settings.

Thank you.

So I have it setup. I go to the discourse site, it redirects me to laravel site. I sign in -- it goes to discourse site and redirects back to mylaravelsite.com/session/sso_login?sso=****

This gives me a 404.

Any routes I should be adding? I do have use laravel spark.

So if I am already logged into laravel this works great and connects me.

However if I click through from discourse and I am not logged, I just get a 500 error.

Havent had chance to dig into it, but expected behaviour would be to redirect me to login page and then back here on successful login (unless I am missing something).

With Laravel 8 released it would be nice to use this package further.

Hey. I've just followed all the setup steps in the Readme, and now wanted to move to the Forum Setup. However, I have no Idea what to enter for the SSO Url... mywebsite.tld/ and then what after the Slash?

New LogoutDiscourseUser listener is great, however if the external ID does not exist in Discourse, the GET users/by-external/.. fails. Needs some better error handling on this as it returns a 404 not found.

In our use case, users are only created in Discourse once they try to access, so we have users in laravel without matching user in Discourse.

Will try commit when I have time

Now our forum URL is https://community.claritycooperative.com/
And our app is working on http://localhost:3000
What is the discourse_url on the config?
And also the discouse_api_user?

Is this working in the local environment?

Currently, I put the discourse_url with http://localhost:300 on the config and http://localhost:3000/discourse/sso is also the discourse URL on the forum admin.
Then I enabled the discourse connect on the admin.
After that, whenever I click the login button it always redirects to the http://localhost:3000/discourse/sso?sso=bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D%0A&sig=2828aa29899722b35a2f191d34ef9b3ce695e0e6eeec47deb46d588d70c7cb56.

Please help me what is the issue now.
Thanks

Hi - I am getting a 403 error when my site is redirecting to

mysite.test/discourse/sso

my site is on local while my forum is currently on a live url. Any ideas what might be causing this?