If you don’t configure the sso provider secrets setting correctly when using Discourse as an SSO provider, you get a generic Error 500 message in the browser and a confusing error message in the logs:
TypeError (no implicit conversion of nil into String) /var/www/discourse/lib/single_sign_on.rb:114:in `hexdigest’
Based on the code path being followed, this looks to be accidental, and I think this error message should be improved:
In the logs, indicate that the SSO provider is misconfigured or an unauthorized attempt has been made
In the browser, show a more appropriate error message (probably HTTP 400 Bad Request or 403 Forbidden)
More details here (maybe an admin/moderator can move that post into this new thread for me):
Note this is in the context of the wp-discourse plugin for WordPress but the issue has nothing to do with this plugin specifically.
This happens if the setting is left blank (more specifically, I think whenever there is no secret for the domain associated with an incoming SSO request).