Discourse: autologin with SSO

Discuss Tutorials
,
1

En réponse à Discourse, Wiki.js and SSO, à qui je ne peux plus répondre directement.

Le paquet Discourse est déjà branché en LDAP et permet d’avoir un compte synchronisé entre YUNoHost et Discourse, et en même temps d’avoir des utilisateurs supplémentaires sur Discourse. En revanche, il ne permet pas de synchroniser des groupes ni d’être automatiquement connecté en arrivant sur le forum.

Il est possible d’ajouter ces deux fonctionnalités, en perdant la possibilité d’ajouter des comptes Discourse qui ne sont pas reliés à des comptes YUNoHost.

La méthode que je propose utilise une autre application, Nextcloud, qui elle permet par défaut d’être automatiquement connecté, et un de ses plugins qui la relie à un Discourse.

  1. Faire une sauvegarde de votre Discourse !! (on sait jamais)

  2. Installer Discourse et Nextcloud

  3. Dans Nextcloud, installer le plugin Discourse SSO (ils appellent ça une application)

    • On modifie les parametres du plugin dans Administration / Sécurité
    • Client Secret : Ouvrez un bloc-note, puis appuyez avec votre bras au hasard sur le clavier pour avoir une chaîne de caractères aléatoire. Une bonne 30aine ira bien.
    • Discourse URL : L’adresse de la page d’accueil du forum (ex : forum.chezmoi.fr)

  4. Dans Discourse, activer la connection via Nextcloud :

    • discourse connect url : [nextcloud]/index.php/apps/discoursesso
    • discourse connect secret : la même longue liste de caractères
    • enable discourse connect
    • Créer des groupes sur Discourse qui ont le même nom que les groupes Nextcloud, qui eux ont le même nom que les groupes YUNoHost.

Pour aller plus loin

  • Si on ne souhaite pas se servir de Discourse, on peut faire en sorte que chaque utilisateur ne puisse pas se servir des dossiers partagés, et faire en sorte que les fichiers automatiques n’apparaissent pas.

Answering Discourse, Wiki.js and SSO, that I can’t answer directly.

Discourse package already works with LDAP and allow a synchronised account between Discourse and YUNoHost, and adittionally to have other accounts specifics to Discourse. It’s not possible yet to synchronise groups nor to be automatically logged in on landing.

It is possible to add those two features, by losing ability to add additional account, not linked to YUNoHost acounts.

This method uses Nextcloud as a relay, because it allows autoconnect, group synchronisation and Discourse SSO.

  1. Save your Discourse database!!

  2. Install Discourse and Nextcloud (if necessary)

  3. In Nextcloud, install the Discourse SSO plugin (they call it an app)

    • One can modify the plugin settings in Admin / Security
    • Client Secret : Open a notepad and use your elbow on the keyboard until you have 30ish characters.
    • Discourse URL : The forum landing page (ex : forum.myhome.net)

  4. In Discourse, activate DiscourseConnect through Nextcloud:

    • discourse connect url : [nextcloud]/index.php/apps/discoursesso
    • discourse connect secret : the same long list of random characters
    • enable discourse connect
    • Add groups on Discourse that share the same name as Nextcloud groups, thoses one already have the same names as YUNoHost groups.

If needed

  • If you completely don’t care about Nextcloud, you can remove the ability for user to use it by setting their quota to 0B, and removing the default files skeleton.
3 Likes
2

Hello, thank you very much (!!!), it seems to be working on my test instance.

What do you mean by this? Enabling " * Add groups on Discourse that share the same name as Nextcloud groups, thoses one already have the same names as YUNoHost groups."?

3

There is a setting that looks (and is) quite dangerous : discourse connect overrides groups. You may check it.
Then, Discourse will look at Nextcloud Groups and affect users the same groups on Discourse. It may even create groups, though I’m not sure.
It may also remove users from groups that do not exist in Nextcloud/YUNoHost, which is not my case, so I’m not sure either.

1 Like
4

Hm, would this set who is admin/moderator on discourse (thus creating the need to set this up on nextcloud too) and so on? Then I think we would need to keep this separate, so I will leave that unchecked.

5

By the way, it seems that when one logs off from Discourse, it does not get relayed to Nextcloud so upon revisiting Discourse, one is still logged. Any ideas how to make logging off work?

6

Ok, this turns out not to be that hard (change DOMAIN_OF_YOUR_DISCOURSE as approprate):

At https://DOMAIN_OF_YOUR_DISCOURSE/admin/site_settings/category/all_results?filter=logout fill in https://DOMAIN_OF_YOUR_DISCOURSE/yunohost/sso/?action=logout

There is additional problem, when you log out and try to access your Discourse instance, you will see Nextcloud login screen. SSH to your Yunohost and put the following into /etc/nginx/conf.d/DOMAIN_OF_YOUR_DISCOURSE/login.conf:

location /login {
    return 301 https://DOMAIN_OF_YOUR_YUNOHOST/yunohost/sso;
}

(NOTE that the last URL is diferent, it is your Yunohost instance, also I think login.conf can be anything as long as it ends in .conf)

That will redirect login to your Nextcloud to yunohost SSO, Nextcloud is integrated with that (and logging out o Nextcloud be deafult directs you to /login too, so it will be forwarded to Yunohost too).