HMAC-256 example on Official SSO page


(Jim Ehrlich) #1

Official Single-Sign-On for Discourse (sso) has an HMAC-256 encoding “Real world example” I cannot duplicate.

There is an extra “’\n” appended to the Base64 encoded string, it should be

bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=

Using https://codebeautify.org/hmac-generator with HMAC-256 Algorithm on

bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=

I get

1ce1494f94484b6f6a092be9b15ccc1cdafb1f8460a3838fbb0e0883c4390471

Am I missing something?


(Sam Saffron) #2

Read through:

This code is carefully tested.


(Jim Ehrlich) #3

The problem seems to be in the example, not the code, presumably a cut/paste error.
Current Version:

  • Raw payload is generated: nonce=cb68251eefb5211e58c00ff1395f0c0b

  • Payload is Base64 encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=\n

  • Payload is URL encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D%0A

  • HMAC-SHA256 is generated on the Base64 encoded Payload: 2828aa29899722b35a2f191d34ef9b3ce695e0e6eeec47deb46d588d70c7cb56

I believe this should be as below. Note removal of last char on bas64 and URL encoded strings. Two online HMAC-SHA256 testers agree on the generated HMAC-SHA256 of 1ce1494f94484b6f6a092be9b15ccc1cdafb1f8460a3838fbb0e0883c4390471 on input data of bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI= with key d836444a9e4084d5b224a60c208dce14

Suggested revision

  • Raw payload is generated: nonce=cb68251eefb5211e58c00ff1395f0c0b

  • Payload is Base64 encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=

  • Payload is URL encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI%3D

  • HMAC-SHA256 is generated on the Base64 encoded Payload: 1ce1494f94484b6f6a092be9b15ccc1cdafb1f8460a3838fbb0e0883c4390471


(Michael Brown) #4

The code was changed to use strict_encode64 (which doesn’t add the newlines) here: