DiscourseConnect always returns "Nonce is incorrect, ..."

Hi all,

We’re building an interface into a self hosted Discourse server. Server is at the latest version as of writing this. Our code runs on a different domain.

We’ve configured everything, we receive the signed SSO call from Discourse, and respond with what we believe is a proper signed response, per this.

Looking at the Discourse logs, our response appears to be properly signed, and the fields we return are parsed correctly. The nonce is also identical. In spite of all this, the transaction always ends with a 419 “Nonce is incorrect, was generated in a different browser session, or has expired”.
The nonce is indeed correct; it can’t have expired as we respond immediately; and a different browser session - well, the response does come from the user’s browser, so…?

Added “*” to "allowed redirect domains, tried to add our app server to the CORS list (and set the appropriate env var). No change.

We must be doing something wrong… I’d appreciate any and all help to get us out of this dead end :slight_smile: