This plugin is developed and supported by FusionAuth but it is intended to work with any OpenID Connect identity provider.
If you find any issue or a missing feature, please open an issue.
- OpenID Connect Authentication
- Authorization Code Grant
- Hot reloading of the authentication strategy
- The configuration with the exception of the
Email claim
can be loaded without restarting NodeBB.
- Run
npm link
in this directory - Go to your NodeBB directory and run
npm link nodebb-plugin-fusionauth-oidc
- Run
./nodebb build
- Run
./nodebb dev
- Launch NodeBB
- Go to the admin portal
- Select
Extend > Plugins
from the menu - Click
Find Plugins
from the sub-menu - Search for
fusionauth-oidc
- Click the
Install
button on thenodebb-plugin-fusionauth-oidc
result - Click
Installed
from the sub-menu - Find the
nodebb-plugin-fusionauth-oidc
plugin and clickActivate
- Rebuild and restart NodeBB
- Refresh the page to regenerate the menu
To configure the OpenID Connect plugin, perform the following steps to navigate to the configuration panel.
- Select
Plugins > OpenID Connect
from the menu - You are now ready to configure the OpenID Connect plugin
You will need your Client Id, Client Secret and the endpoint URLs provided to you by your OpenID Connect identity provider.
If your OpenID Connect identity provider supports discovery, then you only need to enter the Client Id, Client Secret and Discovery base URL. If this is not available to you or discovery is not successful, you may also enter each endpoint manually .
Once you complete this configuration and save the form, you will need to restart NodeBB for the configuration to take effect.
Field | Description |
---|---|
Client Id | The unique Client Id provided to you by your IdP. |
Client Secret | The client secret provided to you by your IdP. In some cases this may not be provided to you if the IdP allows for non-confidential clients. |
Discovery URL | When provided, this URL will be used to find the OpenID Connect discovery document. This URL will be appended with .well-known/openid-configuration . If this URL returns a JSON discovery document the remaining endpoints will be automatically resolved when you press the Save button. |
Authorization endpoint | The fully qualified URL to the Authorization endpoint. |
Token endpoint | The fully qualified URL to the Token endpoint. |
Userinfo endpoint | The fully qualified URL to the Userinfo endpoint. |
Logout endpoint | The fully qualified URL of the OpenID Connect logout endpoint. If configured, the browser will be redirected to this URL when you click logout in NodeBB. |
Email claim | The name of the claim found in the response from the Userinfo endpoint that identifies the user's email address. This is generally email and is the default value. |
Roles claim | If present, on login we will check this claim for the value "admin" and if present, give the user access to the admin panel. The claim value can either be a string or array of strings. Anything else will be treated as the user having no roles. |
This plugin will work with any OpenID Connect identity provider. If you are using FusionAuth, the values needed for this configuration will be found in your Application OAuth configuration. For more information, review the OAuth configuration tab of the Application configuration in the FusionAuth documentation.
If your provider requires a callback url then use https://<domain>/auth/fusionauth-oidc/callback
If you want to skip the login page and always use the configured OpenID Connect identity provider for authentication you will need to disable Login Login and Local Registration.
- Select
Manage > Privileges
from the menu - Uncheck the appropriate boxes under the
Local Login
column in theGroup Privileges
table
- Select
Settings > User
from the menu - Scroll down to the
User Registration
section and setRegistration Type
toNo Registration
- Click the Save icon
Once both Local Login and Local Registration have been disabled, the default login page will be skipped and the user will be automatically redirected to the OpenID Connect login page.
If you need to login locally you can manually add the following parameter /login?local=1
to your URL and you will be taken to the default login page.
If you make changes to the plugin you will need to rebuild and reload. You can do this manually or via the UI.