Official Single-Sign-On for Discourse (sso) has an HMAC-256 encoding “Real world example” I cannot duplicate.
There is an extra “'\n” appended to the Base64 encoded string, it should be
bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=
Using https://codebeautify.org/hmac-generator with HMAC-256 Algorithm on
bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=
I get
1ce1494f94484b6f6a092be9b15ccc1cdafb1f8460a3838fbb0e0883c4390471
Am I missing something?
Read through:
https://github.com/discourse/discourse/blob/master/lib/single_sign_on.rb#L80-L83
This code is carefully tested.
The problem seems to be in the example, not the code, presumably a cut/paste error.
Current Version:
Raw payload is generated: nonce=cb68251eefb5211e58c00ff1395f0c0b
Payload is Base64 encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=\n
Payload is URL encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D%0A
HMAC-SHA256 is generated on the Base64 encoded Payload: 2828aa29899722b35a2f191d34ef9b3ce695e0e6eeec47deb46d588d70c7cb56
I believe this should be as below. Note removal of last char on bas64 and URL encoded strings. Two online HMAC-SHA256 testers agree on the generated HMAC-SHA256 of 1ce1494f94484b6f6a092be9b15ccc1cdafb1f8460a3838fbb0e0883c4390471 on input data of bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI= with key d836444a9e4084d5b224a60c208dce14
Suggested revision
Raw payload is generated: nonce=cb68251eefb5211e58c00ff1395f0c0b
Payload is Base64 encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=
Payload is URL encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D
HMAC-SHA256 is generated on the Base64 encoded Payload: 1ce1494f94484b6f6a092be9b15ccc1cdafb1f8460a3838fbb0e0883c4390471
The code was changed to use strict_encode64 (which doesn’t add the newlines) here:
https://github.com/discourse/discourse/commit/518e101ad6a61146ed2b19c88da9c0c21472bd79