This is the method that’s triggering the error:
def nonce_valid?
if SiteSetting.discourse_connect_csrf_protection
nonce && @secure_session[nonce_key].present?
else
nonce && Discourse.cache.read(nonce_key).present?
end
end
It’s checking that the nonce was generated by Discourse for the same session as as the one that redirects the user back to Discourse.
You could try setting the discourse_connect_csrf_protection
site setting to false
. Its default value is true
. It’s a hidden site setting, so it can only be disabled from the Rails console.
When enabled, the discourse_connect_csrf_protection
setting ensures that the entire SSO authentication process occurs through browser redirects. If you are starting the authentication process by making a background request to session/sso
, you will need to disable it. More details here: DiscourseConnect flow no longer functions - #5 by david.