Is there any way, or reason not to, extend the period of the NONCE validity beyond 10 minutes?
Our SSO currently involves logging in to our existing site and creating a username and/or new display name. Since these should, in theory, encourage you to review our guidelines, it is not impossible that the token needs to last more than 10 minutes to give them a chance to complete the process.
Our own site’s session is extended to 20 minutes, which means that if you take 11-20 minutes to click ‘SUBMIT’ your record will get stored, but as a user you get a very non-descript and unhelpful error message page.
Alternatively, can we edit that error page (which is on the Discourse site) to encourage them to simply refresh and retry the login WITHOUT the expired token?
Has anyone else come up against this? It is not an error - the SSO works fine, it is merely a question of time limits
This is a an old post, but I wanted to check and see if NONCE expiration was made a site setting? The SSO authentication flow I am contemplating (sending an email with a sign-in token) could easily take more than ten minutes.
PS: I am leaning toward sending an email with a sign in token because I am trying to integrate with Teachable and there is no way for me to authenticate directly against it. So I’m considering using their webhook functionality to keep a list of subscribed email addresses in sync on a custom site and then authenticate against that. Not ideal but haven’t been able to come up with a better solution if I stick with Teachable.
Wow, thanks for the instant reply! Will take a look at the plug-in docs.
Definitely agree on keeping the expiration short. Even in my scenario I wouldn’t want to have it exceed 15 - 20 minutes at most. Even at ten it would be probably be fine almost all the time.
I have no experience with Discourse plug-ins so I’m guessing a bit here …
Is the potential solution that the NONCE expiration that is currently hardcoded to 10.minutes in single_sign_on.rb (see file on git for others reading this) could be overridden by a plug-in?
If so, reading this topic it appears that would be pretty trivial. Just changes to the following three plug in files - config/settings.yml, config/locales/server.en.yml, and plugin.rb.
If I chose to not surface this in the admin UI (I likely would), could I just provide the updated value in plugin.rb?
Yeah the easiest thing is to redefine the constant, but I am fine for core to stop using the constant and instead have a static getter / setter method.
That way the plugin would simply call a trivial method call to set it.
I was a member of a Discourse community so I was familiar with Discourse from a user standpoint. Based on that I was already 90% committed to using it as part of my product / solution.