DiscourseConnect payload hash encoding mismatch

sso
3

I have not tested this on my website yet, I’m trying to work out the steps by hand before I do that.

From the forum post referenced earlier:

Given the following settings:
Discourse domain: http://discuss.example.com
DiscourseConnect url : http://www.example.com/discourse/sso
DiscourseConnect secret: d836444a9e4084d5b224a60c208dce14

User attempt to login

  • Nonce is generated: cb68251eefb5211e58c00ff1395f0c0b
  • Raw payload is generated: nonce=cb68251eefb5211e58c00ff1395f0c0b
  • Payload is Base64 encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=\n
  • Payload is URL encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D%0A
  • HMAC-SHA256 is generated on the Base64 encoded Payload: 2828aa29899722b35a2f191d34ef9b3ce695e0e6eeec47deb46d588d70c7cb56

Here is where I get a different answer. When I used a the HMAC encoder you suggested on the base64 non-URL encoded payload, I get d26d5adf900de48890a0c3dcdeec108acd91b44a4b76c90c59955a5ba7b957f7 instead of 2828aa29899722b35a2f191d34ef9b3ce695e0e6eeec47deb46d588d70c7cb56. When I use it on the URL encoded payload, I get 46e749cd26dcabc84eed323ff31f830da674dc87c77a2fcb1b296f76402ea900

However, later in the tutorial, during the creation of the new payload:

Unsigned payload is generated:
nonce=cb68251eefb5211e58c00ff1395f0c0b&name=sam&username=samsam&email=test%40test.com&external_id=hello123&require_activation=true
(order does not matter, values are URL encoded)

Payload is Base64 encoded
bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGImbmFtZT1zYW0mdXNlcm5hbWU9c2Ftc2FtJmVtYWlsPXRlc3QlNDB0ZXN0LmNvbSZleHRlcm5hbF9pZD1oZWxsbzEyMyZyZXF1aXJlX2FjdGl2YXRpb249dHJ1ZQ==

Payload is URL encoded
bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGImbmFtZT1zYW0mdXNlcm5hbWU9c2Ftc2FtJmVtYWlsPXRlc3QlNDB0ZXN0LmNvbSZleHRlcm5hbF9pZD1oZWxsbzEyMyZyZXF1aXJlX2FjdGl2YXRpb249dHJ1ZQ%3D%3D

Base64 encoded Payload is signed
3d7e5ac755a87ae3ccf90272644ed2207984db03cf020377c8b92ff51be3abc3

This signature is generated from hashing the Base64 non-URL encoded payload, so that’s why I’m a little bit unsure of why it doesn’t work on the first payload.