Extending NONCE timeout period

Is there any way, or reason not to, extend the period of the NONCE validity beyond 10 minutes?

Our SSO currently involves logging in to our existing site and creating a username and/or new display name. Since these should, in theory, encourage you to review our guidelines, it is not impossible that the token needs to last more than 10 minutes to give them a chance to complete the process.

Our own site’s session is extended to 20 minutes, which means that if you take 11-20 minutes to click ‘SUBMIT’ your record will get stored, but as a user you get a very non-descript and unhelpful error message page.

Alternatively, can we edit that error page (which is on the Discourse site) to encourage them to simply refresh and retry the login WITHOUT the expired token?

Has anyone else come up against this? It is not an error - the SSO works fine, it is merely a question of time limits

Fine to make this a site setting if you submit a pr


This is a an old post, but I wanted to check and see if NONCE expiration was made a site setting? The SSO authentication flow I am contemplating (sending an email with a sign-in token) could easily take more than ten minutes.

The best documentation I found (Official Single-Sign-On for Discourse (sso)) still implies it is a fixed 10 minutes.


PS: I am leaning toward sending an email with a sign in token because I am trying to integrate with Teachable and there is no way for me to authenticate directly against it. So I’m considering using their webhook functionality to keep a list of subscribed email addresses in sync on a custom site and then authenticate against that. Not ideal but haven’t been able to come up with a better solution if I stick with Teachable.

As it stands it has not become a site setting, I would be totally open to expanding core so it is very easy to override from a plugin if you wish.

Very few ask for this and it is an important security feature of the protocol.


Wow, thanks for the instant reply! Will take a look at the plug-in docs.

Definitely agree on keeping the expiration short. Even in my scenario I wouldn’t want to have it exceed 15 - 20 minutes at most. Even at ten it would be probably be fine almost all the time.

Thanks again!


I have no experience with Discourse plug-ins so I’m guessing a bit here …

Is the potential solution that the NONCE expiration that is currently hardcoded to 10.minutes in single_sign_on.rb (see file on git for others reading this) could be overridden by a plug-in?

If so, reading this topic it appears that would be pretty trivial. Just changes to the following three plug in files - config/settings.yml, config/locales/server.en.yml, and plugin.rb.

If I chose to not surface this in the admin UI (I likely would), could I just provide the updated value in


Yeah the easiest thing is to redefine the constant, but I am fine for core to stop using the constant and instead have a static getter / setter method.

That way the plugin would simply call a trivial method call to set it.


That’s awesome! I will do a bit more research and architecture work to solidify my plan but this eliminates the concern I had re. the SSO integration.

I will come back and confirm my direction this week to validate the request for this change.

I am probably pushing my luck here, but if this is indeed important for my scenario any idea of a rough timeframe for the change to be implemented?

Thanks again for being incredibly responsive!


Sure here you go:



Incredible - my head just exploded! :slight_smile:

I was a member of a Discourse community so I was familiar with Discourse from a user standpoint. Based on that I was already 90% committed to using it as part of my product / solution.

Now I am at 110%!!

Thanks again! Seriously!!!