#9580 small initiative request: groups support for oauth2 for discourse
Closed: Invalid 2 years ago by kevin. Opened 3 years ago by mattdm.

Describe what you would like us to do:


The Discourse forum software used for https://discussion.fedoraproject.org and https://ask.fedoraproject.org uses Oauth2. Unfortunately, Discourse's support for group membership from SSO only works with their own SSO solution, not Oauth2. However, @puiterwijk wrote some quick, untested patches which probably implement the functionality for Oauth2. Discourse is willing to review these, but I feel like it'd be kind of rude to send those to them without actually testing that they even run.

Our actual instances are hosted, which is great in general, but makes it hard to actually test something like this. So, it would be nice to have a test instance where these patches could be applied and validated, and where we could experiment with other functionality in the future.

Install instructions are here: https://github.com/discourse/discourse/blob/master/docs/INSTALL-cloud.md. It's Docker-based and they promise "under 30 minutes".

That guide says that incoming email is essential, but I don't think it actually is for these purposes, as we can tell it to trust the email addresses from FAS, and we're not expecting actual users.

Note that the official install assumes Ubuntu LTS, but from https://meta.discourse.org/t/please-document-supported-distros/154087/15?u=mattdm there should be no problem running on Fedora Server, CentOS Stream, or RHEL.

And, of course we need it deployed with FAS Oauth2 hooked up.

Then, Patrick's patches are the two listed at https://meta.discourse.org/t/does-sso-overrides-groups-work-with-oauth2/175606/5

Once the testing is complete, this could be taken back offline or archived, or left up for future tests of other patches.

When do you need this to be done by? (YYYY/MM/DD)


This is a nice to have. I'd like to do more with discourse, and this is a prereq for a lot of it, so... Q3 maybe? Or if we can fit in some smaller tasks before then I'd like this to be one of them.

Note that an alternate solution to the same problem would be to implement Doscourse's own SSO protocol (DiscourseConnect) https://meta.discourse.org/t/discourseconnect-official-single-sign-on-for-discourse-sso/13045 for FAS in some way.


Can we do this in openshift?

Metadata Update from @humaton:
- Issue tagged with: medium-gain, medium-trouble, ops

3 years ago

Metadata Update from @humaton:
- Issue priority set to: Waiting on Reporter (was: Needs Review)

3 years ago

Can we do this in openshift?

Possibly. As I understand it, their container is designed to interact directly with files in /var/discourse on the host, though, so it might need some work to adapt. And I think it expects to run as root. One of the upstream devs has posted a guide for setting up a devel instance on Fedora Linux directly without containers, which ironically could probably help making a containerized environment that works in OpenShift.

My primary interest here is in getting the group feature enabled, and the test system is just a means to that, so my hope is "by whatever means is fastest".

Metadata Update from @kevin:
- Issue tagged with: mini-iniative

3 years ago

Would a aws instance work for this? (we could even... use ubuntu there)?

Of course this needs someone(s) working on it...

Let me provide a little more "why" background here. Discourse support for groups would let us do three main things:

  1. Provide visible "flair" to members of certain groups, e.g. Fedora Council or FESCo members. (Users can select an icon from groups to which they belong.) This:
    a. helps new-to-Fedora people identify people in leadership and other rules, and
    b. lets folks show their pride in, e.g. Design Team or Ambassadors membership.

  2. Manage permissions. This can be used to:
    a. Set up categories restricted to team members
    b. More granular things like "team members can start topics, anyone can reply"
    c. Make polls which are only open to team members, or, for example, Fedora Packagers
    d. Automatically grant higher trust level to team members — discourse starts everyone at a restricted "newbie" level, which can be frustrating for a long-time contributor coming from mailing lists and suddenly finding that they're not allowed to post links, etc.
    e. Grant moderation privileges in certain categories to group members. We have a limied number of "staff" accounts, which includes site-wide moderators, so this would allow us to scale.

For cost reasons, it may be necessary in the future for us to merge Ask Fedora and Fedora Discussion. If this is the case, parts 2a and 2b may become especially important, because there will be an influx of casual, new users. This may be overwhelming for members of teams trying to get work done. And part 2e might be essential.

As noted above, this can be accomplished in one of two ways:

  1. We get the Oauth2 patches tested, fully functional, and upstreamed.
  2. We extend Ipsilon to support DIscourseConnect

I can try to set it up in AWS. @kevin would you create an instance for me? I'll try with CentOS first.

Metadata Update from @abompard:
- Issue assigned to abompard

2 years ago

I have set up an instance in AWS for this. The instructions look for a domain name so I set a dns record discourse-test.fedorainfracloud.org

@abompard ssh centos@discourse-test.fedorainfracloud.org using the key you have in ipa should get you access.

The instance has 4GB and 2 vcpu along with 30GB disk which should be plenty.

The security group is wide open on all ports as I wasn't sure what was needed. I can tighten those up as needed.

Awesome thanks! See also https://github.com/discourse/discourse/pull/12446, which is another approach which I think aims at doing the same thing. Seems a lot more complicated that @puiterwijk's patches, though!

Awesome thanks! See also https://github.com/discourse/discourse/pull/12446, which is another approach which I think aims at doing the same thing. Seems a lot more complicated that @puiterwijk's patches, though!

I just want to clear up, when I say I set up the instance. Its a blank instance for @abompard to set up discourse. I realise I wasn't very clear in my comment. Apologies for that.

Quick update:
- I got the discourse instance running in AWS (note: it does not work with podman)
- a couple days later I learned that members of the Discourse project are working to get the groups feature using a different method: https://github.com/discourse/discourse/pull/14835
Matt asked if the Google method could work for other auth sources and they said it should be easy to add when the code is merged.

As a result I'm pausing this mini-initiative, I'm following closely the work on the PR mentioned above so we can restart it when the code has landed.

Thanks @abompard! Looks like the code is merged, so.. let's find out. :)

@mattdm @abompard is this now done via the other upstream method?

Can we close this out?

Could one of you update whats still outstanding here? The upstream PR was merged, but it's not clear what other work needs doing?

CC: @mattdm and @abompard

I talked with @mattdm and apparently upstream did land something, but it's not quite what we need. ;(

So, he is going to write something that syncs people's groups and status on login.

I'm going to close this now.

Metadata Update from @kevin:
- Issue close_status updated to: Invalid
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata
Boards 2
ops Status: Backlog
mini-initative Status: Backlog