#9580 small initiative request: groups support for oauth2 for discourse
Opened 4 months ago by mattdm. Modified 2 months ago

Describe what you would like us to do:

The Discourse forum software used for https://discussion.fedoraproject.org and https://ask.fedoraproject.org uses Oauth2. Unfortunately, Discourse's support for group membership from SSO only works with their own SSO solution, not Oauth2. However, @puiterwijk wrote some quick, untested patches which probably implement the functionality for Oauth2. Discourse is willing to review these, but I feel like it'd be kind of rude to send those to them without actually testing that they even run.

Our actual instances are hosted, which is great in general, but makes it hard to actually test something like this. So, it would be nice to have a test instance where these patches could be applied and validated, and where we could experiment with other functionality in the future.

Install instructions are here: https://github.com/discourse/discourse/blob/master/docs/INSTALL-cloud.md. It's Docker-based and they promise "under 30 minutes".

That guide says that incoming email is essential, but I don't think it actually is for these purposes, as we can tell it to trust the email addresses from FAS, and we're not expecting actual users.

Note that the official install assumes Ubuntu LTS, but from https://meta.discourse.org/t/please-document-supported-distros/154087/15?u=mattdm there should be no problem running on Fedora Server, CentOS Stream, or RHEL.

And, of course we need it deployed with FAS Oauth2 hooked up.

Then, Patrick's patches are the two listed at https://meta.discourse.org/t/does-sso-overrides-groups-work-with-oauth2/175606/5

Once the testing is complete, this could be taken back offline or archived, or left up for future tests of other patches.

When do you need this to be done by? (YYYY/MM/DD)

This is a nice to have. I'd like to do more with discourse, and this is a prereq for a lot of it, so... Q3 maybe? Or if we can fit in some smaller tasks before then I'd like this to be one of them.

Note that an alternate solution to the same problem would be to implement Doscourse's own SSO protocol (DiscourseConnect) https://meta.discourse.org/t/discourseconnect-official-single-sign-on-for-discourse-sso/13045 for FAS in some way.

Can we do this in openshift?

Metadata Update from @humaton:
- Issue tagged with: medium-gain, medium-trouble, ops

4 months ago

Metadata Update from @humaton:
- Issue priority set to: Waiting on Reporter (was: Needs Review)

4 months ago

Can we do this in openshift?

Possibly. As I understand it, their container is designed to interact directly with files in /var/discourse on the host, though, so it might need some work to adapt. And I think it expects to run as root. One of the upstream devs has posted a guide for setting up a devel instance on Fedora Linux directly without containers, which ironically could probably help making a containerized environment that works in OpenShift.

My primary interest here is in getting the group feature enabled, and the test system is just a means to that, so my hope is "by whatever means is fastest".

Metadata Update from @kevin:
- Issue tagged with: mini-iniative

2 months ago

Login to comment on this ticket.

Boards 1
ops Status: Backlog