I’m encountering what appears to be an SSO-related SNAFU, namely an inability to login to a particular Discourse community forum only when the login is attempted from PC. Otherwise, I can access the forum freely via, say, Android web browser or mobile app.
After a few days of troubleshooting from both ends, we’ve concluded that it’s the series of redirects which occur between hubitat → portal.hubitat → discourse/session/sso_login?___ → back to hubitat, thereby pointing to an SSO id which perhaps expired during my two-month absence over the Holidays.
Is there any way for me, the user, to reset my SSO credentials?
Or is there a set of steps I can pass along to the forum moderator so that he can do the same for my account from his end?
We’ve tried everything else (different browsers, clearing cache(s), deleting cookies, blocking 3rd party, Incognito mode, etc.) to no avail.
THANKS! - Tim
Hello and welcome @TimGNO
Your issue doesn’t appear to relate to this bug. Would you like me to move your post into its own topic?
Yes, thanks, and sorry to come across as a n00b by posting in this old thread, lol. This is one of those “I’m at my wit’s end despite having 50+ years experience in IT” moments.
I can’t help thinking the problem stems from this recalcitrant cookie, perhaps expiring a session before it starts?
(Can’t post images yet, so using image link temporarily as a placeholder)
Note: Taken from Chrome > Inspect > Network > Cookies
No idea. But you might check the time on your servers (or maybe the PC–or is it all pcs–all users)? If one was off it might explain that (but I don’t really know).
Other things that I might check are that everything is https and that those certs are good.
So far only made attempts on single (Windows 10) PC but will now try others. Issues has affected other forum members in the past, but only temporarily, and right now I’m the only one complaining. (I’m not a site owner or admin myself.)
Thanks for the solid suggestions, which were items among those I’ve already explored:
- Changing browser(s)
- User Agent spoofing
- Same-site / CORS settings
- HTTPS-only enabled
- 3rd party cookie blocking
Unfortunately, the (Discourse Community) site admin for Hubitat is away for 4+ days at CES '23, but promises to check SSO settings on his end thereafter. Will report.
UPDATE: While attempting to further disambiguate the perceived difference in behavior between desktop and mobile platforms, I uninstalled the “Hubitat app” (which is little more than a glorified bookmark and browser front-end) on my Android device, then attempted to access the site using its Chrome browser. Same error condition emerged. Still cannot login. Refreshing login page yields:
Account login timed out, please try logging in again.”
I surmise that the “app” had been holding onto some form of authorization key(s) from before my sabbatical, and wanted to eliminate that variable.
I’m now completely convinced this is a server-side, user-account level issue and not a device-, platform-, or browser-level client-side issue. Perhaps even a well-known Discourse framework hiccup with a known solution(?), so a-Googling I must go until help arrives.
Do you know if anyone else on the site is running into the same issue?
If the site admins haven’t done it already, they could enable the
verbose_discourse_connect_logging. Some details about debugging DiscourseConnect issues with that setting are here: Debug and fixing common DiscourseConnect issues. I’m not sure that topic covers the issue you are running into though.
The full error message that’s shown in the logs for this will be something like:
Nonce is incorrect, was generated in a different browser session, or has expired. Possible causes of this are:
- the nonce that’s passed from the application to Discourse on your login attempt doesn’t match the nonce that was initially sent from Discourse to the application
- the nonce was generated in a different session than the session you are logging in from. This will happen if the application is making a background request to get the nonce from Discourse, instead of having it be generated by a browser redirect.
- the user waits longer than 10 minutes (the nonce expiry time) to complete the login
I’m guessing that you’re running into the first issue in that list.
In an ironic twist, yesterday Google announced the availability of its VPN service in conjunction with One subscriptions, which I happen to enjoy.
After installing the VPN in windows and enabling it, I was suddenly able to proceed with the login mention above. Zero hiccups.
Perhaps I will never know the exact mechanism involved, but marking “Solved” in hopes that someone similarly situated in the future may benefit.