Possible oauth2 problem with Discourse and Auth0 EU sites

Hi Auth0 Team, I’m a developer for Discourse and the author of this how-to guide:

We currently have two Discourse users both using EU Auth0 accounts that are experiencing the exact same issue and I can replicate it with my own EU Auth0 account that I just set up.

I have two test discourse forums setup attached to two separate auth0 accounts:

https://discourse-test-prod-box.blakeerickson.com/ ([tenant].auth0.com) [working]
https://auth0.blakeerickson.com ([tenant].eu.auth0.com) [not-working]

They are setup identically, and I’ve tried lots of different settings for the eu one trying to get a different result with no luck. The problem is that the EU site doesn’t return a populated user_json:

image1779×117 18.8 KB

Compare that to the user_json from the US based Auth0 site:

image1748×102 22.3 KB

OAuth2Debugging: user_json: {
	"email_verified"=>false,
	"email"=>"*********",
	"clientID"=>"********",
	"updated_at"=>"2018-07-26T15:59:20.670Z",
	"name"=>"*******",
	"picture"=>"https://s.gravatar.com/avatar/c5ede5ffce493dbf25578f348f856c26?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fbl.png",
	"user_id"=>"auth0|******",
	"nickname"=>"******",
	"identities"=>[{
		"user_id"=>"******",
		"provider"=>"auth0",
		"connection"=>"Username-Password-Authentication",
		"isSocial"=>false
	}],
	"created_at"=>"2018-07-26T15:59:20.338Z",
	"sub"=>"*******"
}

I guess I’m kind of stuck debugging this on my own and if you could provide any help or assistance that would be great!

My open ticket is #44440 for reference - with this problem. My tenant is, however, US based.

Can you provide the settings in Discourse for your oauth2 plugin? A PM is fine. Make sure to comment out all private info unless you’re sending a PM

Specifically:

image1296×2406 400 KB

I am with the same problem. I tried with two tenants: EU and US based.

Not working site:

image1173×1929 196 KB

Working site:

image1183×2001 185 KB

If it makes any difference my working Auth0 account I have had for a long time, my EU based Auth0 account is new today.

So here are some things to look at, mimicking the settings that we use on this site:

oauth2 authorize url: https://[tenant].auth0.com/authorize?scope=openid%20profile%20email
oauth2 token url: https://[tenant].auth0.com/oauth/token
oauth2 user json url: https://[tenant].auth0.com/userinfo
oauth2 json user id path: sub
oauth2 json username path: nickname
oauth2 json name path: name
oauth2 json email path: email
oauth2 send auth header: Send the token as an HTTP Authorization header

With nothing in oauth2 scope

Also, please make sure your tenant logs don’t have any deprecation warnings

Okay, I’ll try these out when I get a chance.

Awesome, thank you!

The key fix was the scope needs to be passed to the authorize url value (I also updated all my oauth2 json values to match what you have above once I was getting a json result back from Auth0).

Rather than adding the scope directly to the URL though, there actually is somewhat recent addition to the discourse oauth2 basic plugin that adds a scope field to the site settings, so that you can have these settings:

oauth2 authorize url : https://[tenant].auth0.com/authorize
oauth2 authorize options: scope
oauth2 scope: openid profile email

Sorry for the trouble here, my old Auth0 account still works without adding the scope fields to the auth url, but my new Auth0 account (and everyone elses!) needs them. Looks like this is in the auth0 oauth2 docs, so I probably should have read them!

scope: A space-delimited list of permissions that the application requires.

Standard claim docs:

Notice that we included three values at the scope param: openid, profile (to get name, nickname and picture) and email (to get the email claim).

I can confirm that following the updated docs on the Discourse thread results in Auth0 working and the required data being populated! Hurrah, thanks so much everybody for helping us get to the bottom of this!

Ruth