Reputation: 21764
How to handle Discourse SSO when the authentication site allows users to change emails?
We use a Discourse SSO flow that we have implemented based on this guide: https://meta.discourse.org/t/official-single-sign-on-for-discourse-sso/13045
It has worked well for us. But now we want to allow users in our system to change their e-mail and this seems to lead to problems.
When I change the email of my user in our system, SSO to Discourse stops working.
Login Error
There is a problem with your account. Please contact the site's administrator.
I guess that Discourse receives a payload with an email and a username that don't match and doesn't know what to do.
What is a good way to handle this?
The best idea I have come up with is to use the Discourse API to change the users email in Discourse to match that in out system before initiating SSO.
But I don't know if this is possible. Below is my failed attempt.
Here is my request:
https://forum-stage.{domain}.com/users/{username}/preferences/email
Headers:
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Body (as x-www-form-urlencoded in Postman):
email: [email protected]
api_key: 75a...77d
api_username: system
And here is the response I receive
{
"errors": [
"You are not permitted to view the requested resource."
],
"error_type": "invalid_access"
}
Upvotes: 2
Views: 2202
Answers (1)
Reputation: 16769
There is definitely a way to handle changing e-mail addresses on the SSO provider side, because that is possible without problems when using Discourse as the SSO provider.
We have a setup where, for weird reasons, we have one Discourse site as the SSO provider and other Discourse sites as SSO clients. It is possible to change user e-mails in the Discourse SSO provider, and then during the next login these changes are synced to the SSO clients.
I did not investigate how this mechanism works exactly, but probably via the "external ID" scheme added for SSO purposes by Discourse to user records. You would have to check the payload of the next login after an e-mail address change in such an all-Discourse SSO system to see what exactly is going on, and then could do it similarly in your own implementation.
Upvotes: 0
Related Questions
- How to stop Azure AD B2C signin flow to allow users to change email
- Email Change - InvalidToken
- prevent email change in azure b2c custom policy
- How do I change an ASP.NET Identity user's email WITHOUT requiring an email confirmation?
- Identity 3.1 - when changing email the user name gets changed, can this be avoided?
- Azure B2C Custom Policy - from email decide claims exchange
- SSO: How to synchronize user accounts between service provider and Identity Provider?
- B2C password reset policy using signinname and verified email
- Confirming emails for existing users (email address used by someone else, social login)
- ASP.NET Identity rollback unverified email change