This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The State of SSO (google,facebook,twitter,microsoft,github,discourse) #12430
Comments
PS. this is for a community video art festival |
Great initiative on doing the research! OAuth/OpenID is a nightmare since it can vary wildly between provider implementations, but we've tried to build the system as generically as possible to support as much as possible. Often provider quirks can be worked around by providing the right config, either through the Implementations I've personally verified are: facebook, github, discord, okta, auth0, keycloak, twitch and google. Github requires the authenticating user to have their email as public in their settings in order for it to be picked up when authenticating. There might be a way around it by providing the proper grants or scope, but I never found it. That should probably be documented somewhere! 😅 Microsoft has been confirmed working by a few users in discussions. I just pulled this example (you can exclude Twitter is a lost cause, however. Their OAuth 2 implementation is so bespoke that it requires a targeted implementation (unless it's changed during the beta). |
Actually it looks like Twitter has changed things. You can try |
Thanks @aidenfoxx ! Public Github email fixed it so I’ve updated the original post.
Recreating #11316 keys for Would you be able to share your Discord, Twitch configs? It would be great to document more examples. 💪 |
Here's a hack for Github SSO button: .sso-link:nth-child(5) .sso-title {
display: flex!important;
flex-direction: column!important;
justify-content: center!important;
align-items: flex-start!important;
}
.sso-link:nth-child(5) .sso-title:after {
content: "Public email address only";
font-style: italic!important;
font-size: 14px!important;
} |
Sure thing! Twitch:
Discord:
If I remember correctly, Discord uses numeric client ids, so you need to specify |
Awesome :)
Just noticed the flag string in the variable. |
Looking further into the docs, the correct Twitter profile URL would be I think you also need additional scopes |
Yep, before moving back onto Twitter I think this is the same issue as with Discord, where as with Github the page refreshes without creating the new user - presumably because there is no email to use as a key? Can you explain how this works? ie. How does the OAuth2 flow get some field to use as a unique key / email for Directus?
EDIT: Discord now work with this config:
Checking to see if this isn't the same for Github... |
The So if Twitter returns the following profile for the authenticating user:
Then authenticating with Unfortunately I see the issue with Twitter now. Their actual profile response is in a sub-object, and we have no way to query sub-objects in the current implementation:
|
OK thank you, that makes perfect sense. What is the best way to see the response via an npm instance of Directus (ie. Twitter and Microsoft I'm going to park for now, but will try with others. |
Well you can get more info about what's going wrong by enabling trace logging. Other than that I'd probably manually modify the "node_modules/directus/dist/auth/drivers/oauth2.js" and log |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Preflight Checklist
Describe the Bug
Hello, I thought I'd write up my findings on SSO (single-sign-on) for Directus on Directus latest
9.7.1
(28/03/22), which is something I'm keen to use since it simplifies user registration.Here is an overview followed by the full
.env
configuration:Google
openid
✅ Works w/ setup via cloud console.
Facebook
openid
✅ Works w/ setup via myapps.
Discord
oauth2
✅ Works w/ setup via apps.
Microsoft
openid
❌ Callback code seems to be given as an URL parameter instead of in POST:
signInAudience=AzureADandPersonalMicrosoftAccount
inside Manifest.Twitter
oauth2
❌ Twitter landing page is:
Whoa there! There is no request token for this page.
Github
oauth2
✅ EDIT: works if Github user email address is public
Directus gives error: [XX:XX:XX]⚠️ [OAuth2] Failed to find user identifier for provider "github". Perhaps from missing email?DiscourseHub
oauth2
✨ Not tested yet but this plugin seems a viable method.
Misc
If there is already a Directus DB user with the same email address as an attempted SSO login, the login page will reload without an error message. Deleting the Directus DB user then allows the SSO login, but it would be good to a) combine SSO with DB user, or b) give an err ("user already exists").
Environment (
.env
)To Reproduce
Recreate these .env settings on a Directus instance.
Errors Shown
No response
What version of Directus are you using?
9.7.1
What version of Node.js are you using?
v14.15.4
What database are you using?
pg@^8.7.3
What browser are you using?
Safari / Ungoogled Chromium
What operating system are you using?
macOS
How are you deploying Directus?
Ubuntu Droplet (Digital Ocean)
The text was updated successfully, but these errors were encountered: