Confusing/unpolished error message when using Discourse as SSO provider

If you don’t configure the sso provider secrets setting correctly when using Discourse as an SSO provider, you get a generic Error 500 message in the browser and a confusing error message in the logs:

TypeError (no implicit conversion of nil into String) /var/www/discourse/lib/single_sign_on.rb:114:in `hexdigest’

Based on the code path being followed, this looks to be accidental, and I think this error message should be improved:

  • In the logs, indicate that the SSO provider is misconfigured or an unauthorized attempt has been made
  • In the browser, show a more appropriate error message (probably HTTP 400 Bad Request or 403 Forbidden)

More details here (maybe an admin/moderator can move that post into this new thread for me):

Note this is in the context of the wp-discourse plugin for WordPress but the issue has nothing to do with this plugin specifically.

Do you mean leave it blank or put garbage data in it?

This happens if the setting is left blank (more specifically, I think whenever there is no secret for the domain associated with an incoming SSO request).

Aha if the setting is blank I support a better error here @eviltrout can you do this or assign it?

@Osama did this and it’s been merged:

6 Likes