HMAC-256 example on Official SSO page

Official Single-Sign-On for Discourse (sso) has an HMAC-256 encoding “Real world example” I cannot duplicate.

There is an extra “’\n” appended to the Base64 encoded string, it should be

bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=

Using https://codebeautify.org/hmac-generator with HMAC-256 Algorithm on

bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=

I get

1ce1494f94484b6f6a092be9b15ccc1cdafb1f8460a3838fbb0e0883c4390471

Am I missing something?

Read through:

https://github.com/discourse/discourse/blob/master/lib/single_sign_on.rb#L80-L83

This code is carefully tested.

2 Likes

The problem seems to be in the example, not the code, presumably a cut/paste error.
Current Version:

  • Raw payload is generated: nonce=cb68251eefb5211e58c00ff1395f0c0b

  • Payload is Base64 encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=\n

  • Payload is URL encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D%0A

  • HMAC-SHA256 is generated on the Base64 encoded Payload: 2828aa29899722b35a2f191d34ef9b3ce695e0e6eeec47deb46d588d70c7cb56

I believe this should be as below. Note removal of last char on bas64 and URL encoded strings. Two online HMAC-SHA256 testers agree on the generated HMAC-SHA256 of 1ce1494f94484b6f6a092be9b15ccc1cdafb1f8460a3838fbb0e0883c4390471 on input data of bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI= with key d836444a9e4084d5b224a60c208dce14

Suggested revision

  • Raw payload is generated: nonce=cb68251eefb5211e58c00ff1395f0c0b

  • Payload is Base64 encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=

  • Payload is URL encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D

  • HMAC-SHA256 is generated on the Base64 encoded Payload: 1ce1494f94484b6f6a092be9b15ccc1cdafb1f8460a3838fbb0e0883c4390471

1 Like

The code was changed to use strict_encode64 (which doesn’t add the newlines) here:
https://github.com/discourse/discourse/commit/518e101ad6a61146ed2b19c88da9c0c21472bd79

3 Likes