Hashing Secret + Payload for SSO

nategoethel · November 4, 2020, 10:17pm

After parsing the payload it appears to be in base64 by default, but the 256SHA has of the base64 encoded payload isn’t correct. I’m using the example secret and URL from the OG post.

The following code gives me the following output:

 payloadURL = bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=

sig = 2828aa29899722b35a2f191d34ef9b3ce695e0e6eeec47deb46d588d70c7cb56
payloadRaw = nonce=cb68251eefb5211e58c00ff1395f0c0b
payload256 = KCiqKYmXIrNaLxkdNO+bPOaV4Obu7EfetG1YjXDHy1Y=

My code:

testURL := "http://www.example.com/discourse/sso?sso=bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D%0A&sig=2828aa29899722b35a2f191d34ef9b3ce695e0e6eeec47deb46d588d70c7cb56"	
	ssoSecret := "d836444a9e4084d5b224a60c208dce14"

	// grab the payload and sig from the URL query
	u, err := url.Parse(testURL)
	if err != nil {
		log.Fatal(err)
	}

	q := u.Query()
	payloadURL := strings.Trim(fmt.Sprint(q["sso"]), "=[]")
	sig := strings.Trim(fmt.Sprint(q["sig"]), "[]")
	
	fmt.Printf("payloadURL = %s\n", payloadURL)
	fmt.Printf("sig = %s\n", sig)

	// get the raw payload from the base64 version
	payloadRaw, err := base64.StdEncoding.DecodeString(payloadURL)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Printf("payloadRaw = %s\n", payloadRaw)
	
	key := []byte(ssoSecret)
	message := []byte(payloadURL)
	hash := hmac.New(sha256.New, key)
	hash.Write(message)
	payload256 := base64.StdEncoding.EncodeToString(hash.Sum(nil))
	if err != nil {
		log.Fatal(err)
	}
	
	fmt.Printf("payload256 = %s\n", payload256)

	// sig is hex encoded, so hex encode the hashed payload so we can compare.
	//hashAsString := hex.EncodeToString(hash.Sum(nil))

	// compare the hex-encoded hash of payload to the hex-encoded sig
	if strings.Compare(payload256, sig) != 0 {
		log.Fatal(err)
	}

Update: I fixed this after encoding my resulting HMAC-SHA256 hash to hex (the signature is also hex encoded. Also see this post that says that the examples in the SSO guide are incorrect. So I changed this code:

key := []byte(ssoSecret)
message := []byte(payloadURL)
hash := hmac.New(sha256.New, key)
hash.Write(message)
payload256 := hex.EncodeToString(hash.Sum(nil))
if err != nil {
	log.Fatal(err)
}

Topic		Replies	Views
HMAC-256 example on Official SSO page sso	3	2535	September 11, 2018
DiscourseConnect payload hash encoding mismatch sso	4	1115	June 1, 2021
Login error while trying to use Discourse as an identity provider (SSO, DiscourseConnect) sso	3	663	May 30, 2023
External SSO unable to get signature match sso	2	772	December 24, 2020
/admin/users/sync_sso ... Route not found sso	22	4166	May 2, 2023

Hashing Secret + Payload for SSO

Related Topics