With multiple Discourse instances that have login required set and use SSO, we’re experiencing infinite redirects on login with Safari on iOS. Here’s what happens:
- User is not logged in in Discourse or SSO master site.
- User navigates to Discourse instance.
- Discourse redirects to SSO page.
- SSO page prompts for credentials. User logs in.
- User is stuck in a redirect loop between the SSO master site and Discourse, until Safari gives up.
- If the user then manually navigates to Discourse again, he is logged in.
I cannot reproduce this behavior with Chrome on the desktop.
While a client is in the redirect loop, multiple Started SSO process and User was logged on entries are generated, so it looks like the SSO process is successful, but somehow, after completing SSO, Discourse redirects the user to another SSO login, not to the start page.
This also affects old instances where SSO has worked fine before, so I do not think this is a Discourse configuration issue.
Does anyone have an idea what could be wrong here?
% correct. It was on Lax, the default. Changing it to Disabled fixed the issue immediately. (I assume this is a defense-in-depth thing, on top of your usual CSRF protections, so disabling it is not overly terrible for security?)
I’ve spent a very long time figuring out a similar issue was caused by this