How to avoid "Account login timed out, please try logging in again" when the payload had expired in SSO

sso

(Mohit Gupta) #1

I want to avoid this error from appearing - Account login timed out, please try logging in again. This error appears when the payload of SSO login has expired. I was thinking if i could redirect the user to any other page when this error occurs or is their any other better solution. Does any body have a solution for this?


(Mohit Gupta) #2

I am still looking for a solution of this topic.


(Florian Bender) #3

I haven’t tested it but there is an SSO setting for a redirect on failed login. Maybe this will help you.

The error message should be fixed, though. It should at least contain a link back to the Discourse Login page.


(Mohit Gupta) #4

@fbender, I looked into admin panel for the SSO setting on a failed login but I cannot find it. Can you please tell me where is this setting.


(Felix Freiberger) #5

I think he is referring to sso not approved url.


(Mohit Gupta) #6

@fefrei thats not working either


(Florian Bender) #7

Yeah I tested it myself and it did not work. Question is whether it actually should work. @techAPJ


(Arpit Jalan) #8

sso not approved url setting is used when the SSO login is successful but the Admin has enabled must approve users setting and the user has not been approved yet.


(Arpit Jalan) #9

Looking at the current code:

I don’t think it’s possible to redirect user to any other page.

EDIT: I may wire up a setting that could make this possible. @sam should I go ahead and add a setting sso_timeout_expired_url for this case? Is this something we should have?


Implementing SSO, nonce immediately expires
(Sam Saffron) #10

First fix is to present a proper error page there as opposed to 1 line of text


(Felix Freiberger) #11

Wouldn’t a proper reaction be to just redirect back to the SSO login URL?

Assuming my login on the external site is still valid (e.g. I was just taking too long to log in there), this would actually log me in immediately, just with an additional roundtrip. If the login on the external site expired in the meantime, I have to authenticate again – but this is what I want to to, since I was just trying to login anyway.


SSO Plugin Account login timed out, please try logging in again
(Florian Bender) #12

What’s the status here? I like the proposal of @fefrei though it might lead to an infinite redirect loop somehow, so that should be safe-guarded. @techAPJ did you impelement something yet?


(eriko) #13

How long does the nonce last and is that configurable? Depending on if the user is authenticated in the the SSO provider already it may take them to long if they have to actually log in.


(Felix Freiberger) #14

Per the spec, the nonce is valid for 10 minutes:


(eriko) #15

Ok that is interesting. Because I have gotten that message in less than 30 seconds.


(Dean Peterson) #16

This has become a systemic problem for me. When the server first comes up things are ok. With any kind of load, every new user registering with sso is getting this Account Login timed out error. I tried upgrading to the latest version of Discourse today. The problem is still occurring.


(Sam Saffron) #17

This sounds very odd to me, we only show that message if it took upwards of 10 minutes to run through stuff in your side. What forum is this happening on? Can it be reproduced on demand?


(Dean Peterson) #18

If you register at trade.abecorn.com, the first thing I do is initiate the sso to discourse on successful login. That transitions to discourse.abecorn.com then back to trade.abecorn.com once registration in discourse is complete. That flow is often blocked with the timeout error. It is happening sporadically now throughout the day.


(Dean Peterson) #19

It seems every time I mention I run discourse for abecorn.com I get no more responses. Would it help if I mention I am also lead architect for the State of MN at DEED; in charge of making technology buying decisions?


(Sam Saffron) #20

Well, we could diagnose this for you if you signed up for our hosting, we host 100s of discourse sites and I have not seen this particular issue.

Reason I stopped responding is that I am stumped and need access to the system, logs, and a repro