Invite links (Accept Invitation Button) with SSO not working for stable v2.8.10

Hi Discourse team,

The Accept Invitation button does not work on stable v.2.8.10. When you try to login via SSO, it will just redirect you back to the invite page, and Accept Invitation doesn’t do anything. No console errors showing either. Can someone assist?

I believe it is related to the latest update: SECURITY: Fix invite link validation (stable) (#18818) · discourse/discourse@7e4e8c8 · GitHub

Cheers

2 Likes

Can you confirm how your site is configured?

Invitations didn’t historically work with SSO enabled. This could be a regression but we will need to know more.

1 Like

Hi @Stephen ,

Thanks for your response! What info do you need specifically? We have it self-hosted on stable branch (v2.8.10) using discourse-saml plugin with Okta (SSO). Prior to the 2.8.10 update, we were able to create invite links to groups and they would work, the user would login via SSO then they would be redirected to the topic specified in the invite setting.

Additional Info:

In the previous stable version v2.8.9, on domain.com/invites/invitecode :

  • A non-logged in user would be presented with a screen that asks them to login via SSO (Okta which is specified in the app.yml SAML config), which will redirect them to SSO to login/register, afterwards it will execute the invite actions (redirect to topic, add to group, etc)

  • A logged in user would automatically bypass the invite screen and the invite actions will be executed

In the current stable version v2.8.10, on domain.com/invites/invitecode :

  • Both non-logged in and logged-in users will be presented with the invite screen with 2 buttons:
    – Login via SSO Button
    – Accept Invitation (this is new)

When the Login via SSO button is clicked, the user is prompted to login (if not logged in) and will be redirected back to the invite page again.
When the Accept Invitation button is clicked, nothing happens.

We observed in the network browser console that there is a PUT request to domain.com/invites/show/invitecode.json which is returning a 504 error (only in the 2.8.10 version)

Is there a certain category I can move this to so I can report this bug?

1 Like

Confirm we have visibility on the issue, any way you can confirm that this is not an issue on tests-passed and only exists in stable at the moment?

2 Likes

Hello @sam ,

Thanks for responding! Glad to hear you have visibility on the issue.

Unfortunately we do not have a test-passed instance with SSO, as we’ve always stuck with stable. I do have a test-passed branch without SSO and there are no issues there.

EDIT: I’ll give it a go to see if I can get a test-passed instance with SSO running

Hey @sam ,

I was able to spin up a tests-passed instance and it didn’t seem to be an issue for me on tests-passed.
Was able to accept invites. Hope this helps!

1 Like

Hi @sam !

Is there any chance stable could be backported so that it can be fixed on stable?

I saw that Discourse had an update: 2.8.11: Security Release

Is there any chance this update fixes this issue? :slight_smile:

1 Like

Yes we will update, thanks heaps for reporting, we will let you know once done. Give us a week or 2.

2 Likes

That’s awesome! Thanks @sam ! :raised_hands:

EDIT:
Just an FYI for others who may be experiencing this:

Version 2.8.11 of stable does not fix the issue. Clicking on Accept Invitation spews out a console log error now though:
PUT https://<DOMAIN>/invites/show/<INVITE_CODE>.json 404
The .json url takes you to:

// https://<DOMAIN>/invites/show/<INVITE_CODE>.json

{
  "errors": [
    "The requested URL or resource could not be found."
  ],
  "error_type": "not_found"
}

Hi @hyphalos I’ve started taking a look at this today. I’m unfamiliar with our SAML setup so please bear with me.

This is a little strange, the “Accept Invitation” button should only show for logged in users. Can you please post a screenshot of what both logged in and logged out users see for a specific invitation, and also what options are you choosing for the invitation here:

3 Likes

Hello @martin !

Thanks for getting back to me. Sorry for the delayed response, I was out sick.

I did some more testing and what I’ve observed is after updating to v2.8.11 is that people can only accept an invitation once no matter the create invite settings. I’ve tested it with Arrive at topic, without arrive at topic, add to group, without add to group, etc. and people can only accept invites once. Is this intended behaviour?

What if a guest signs up but uses the same invite URL again, they’ll get stuck in the invite page (no redirection with arrive at topic). When they click Accept Invitation, this error pops up:

EDIT: Just wanted to add that if it is intended behaviour, there is no error that shows up that “You’ve accepted this invitation before” or something along those lines, or just redirect to wherever the arrive at topic is set to in the invitation.

2 Likes

Yes this is expected. Not the error, the part where they are unable to Accept Invitation multiple times. We discussed this over at New 'accept invitation' prompt feature causing issues with invitation links - #14 by martin where I did a fix, but I see now I will need to backport that fix to stable as well cc @sam

2 Likes

Hi @martin , that’s great, thank you for investigating!

2 Likes

I just committed this fix to stable here:

2 Likes

Hey @martin !

Thanks again for the fix!

I’ve updated to 2.8.12 (which according to the commit tag in the admin panel includes the fixes) and I now see an error message (on a test account) for attempting to accept an invite I’ve once accepted on the test account:

sso-button

Which is great!

Although as someone already logged in, I didn’t expect the “Okta SSO” button to be displayed. When the button is clicked, it loops into SSO and then brings be back to the invite page. As the user is logged in, shouldn’t the login button be hidden to avoid confusion?