Official Single-Sign-On for Discourse (sso)


(Kane York) #259

I think you can set the _t cookie to the auth_token column of the users table.

Or, uh, you know, manually apply the Set-Cookie headers you get while performing a login?

(Jeremy) #260

Is there any way to automatically sign them in when they hit the discourse forums, if they are already logged into our system? If do they always have to hit “Login” on the discourse forum first?

(Felix Freiberger) #261

If your forum should only be available to SSO users, you can enable the require login site setting, and users will be logged in automatically. If not: I don’t think there is an easy way to do it.

(Dylan Damsma) #262

What I’ve done is sending users that are logged in on our platform to the link:

and those that are not logged in to:

Not sure if it’s the right method, but seems to work for us.

(Jesse Perry) #263

Is there a way to disable #3 in this list and make the login fail if the user doesn’t already exist (if external_id or matching email doesn’t match) on the Discourse?

(Ivan) #264

When I sign in via Discourse ‘Log In’, I keep hitting a page that says “Nothing Found. Ready To Publish Your First Post?.” The URL looks something like, “Example Domain”.

Could anyone explain how I could just send the user to our homepage?

To be clear, this doesn’t happen when a user logs in via WP ‘Log In’.

(Ionut Georgian Ciobanu De Radu) #265

Two questions:

  1. Why is there a \n added to the end of the the base6d encoded string?
  2. Could you please provide a complete payload and signature example to send to Discourse?

1c884222282f3feacd76802a9dd94e8bc8deba5d619b292bed75d63eb3152c0b TODO update example - this is not correct signature

(Brett Wallace) #266

Quick question if anybody has a minute to answer.

If a user is inactivated on the site used for SSO, how does discourse know/handle it?

(Felix Freiberger) #267

It doesn’t – it’s the SSO site’s responsibility to handle this. It should prevent new sign-ins and possibly log the user out remotely via the API*.

*It would be awesome if Discourse had an API to log out users using their external_id

(Kane York) #268

Yeah, right now that takes two requests - first is /users/by_external and second is the log out.

(Guss Davey) #269

What if I want to do it a different way round. I want Discourse to register the user, but then I want to pull the data to my home site, for the additional non forum features I provide my customers?

OR authenticate my websites login again Discourse (being the end point)

(Daniel Lynch) #270

@Guss I think what you want is Using Discourse as a SSO provider


Can someone please update the “real world example” with the correct signature?

(Jeff Atwood) #273

The signature in the example is correct AFAIK. Is there an error in your code?


Are you sure it’s correct? Someone seems to think that it’s not.

I’m guessing there is an error in my code – after redirecting to the session/sso_login endpoint I get a timeout error – but it’s hard to know what to fix if I can’t trust the example. And the signature is the only thing that I can’t reproduce correctly.


(Adli Bazuli) #275

SSO secret: d836444a9e4084d5b224a60c208dce14

Payload is Base64 encoded: bm9uY2U9Y2I2ODI1MWVlZmI1MjExZTU4YzAwZmYxMzk1ZjBjMGI=\n

HMAC-SHA256 is generated on the Base64 encoded Payload: 2828aa29899722b35a2f191d34ef9b3ce695e0e6eeec47deb46d588d70c7cb56

In the example above, how does the HMAC-SHA256 is generated?
I am getting
Tested against online HMAC generator e.g

I managed to get the server end payload signed correctly but couldn’t figure out verifying the payload from discourse server. Or maybe I am reading the instruction wrong somewhere?

(vikas kumar) #276

im also new to this HMAC-SHA256 need to be generated like

nonce = SecureRandom.hex
payload = "nonce=#{nonce}&name=#{}&username=#{}&email=#{}&external_id=#{}"
base64_string = Base64.encode64(payload)
url_encoded_string = URI::encode(base64_string)
hmac_256_string = OpenSSL::HMAC.hexdigest('sha256', secret , base64_string)

(Ally Tibbitt) #277

So new to this. Here’s what I’d like to happen. We have a membership WP site. I’d like everyone who signs-up as a member to automatically have an account created for them on our discourse app. I’d also like other people, as well as members, to be able to sign-up to take part in public Discourse discussions - ideally using their social media profiles. I just wanted to clarify that this possible to do “out-of-the-box” using the vanilla WP plugin? All help much appreciated.

(Adli Bazuli) #278

I could the redirect portion to work. I am working in Java though. The part I don’t understand is validating discourse payload against the signature. I couldn’t generate a matching signature with the same key.

        Mac mac = Mac.getInstance("HmacSHA256");
        SecretKeySpec keySpec = new SecretKeySpec(
                "mykey".getBytes("UTF-8"), "HmacSHA256");
        // extract signature as bytes
        byte[] sigBytes = DatatypeConverter.parseHexBinary(sig);
        // Generate hmac
        byte[] hashed = mac.doFinal(sso.getBytes("UTF-8"));

        // sigBytes and hashed not match
        if (!Arrays.equals(sigBytes,hashed)).....more code

(vikas kumar) #279

Validate the signature, ensure that HMAC-SHA256 of sso_secret, PAYLOAD is equal to the sig
same issue i have , i just skipped this step and created new payload and redirect to discourse forum with current user.

here is the code that i have found for validation

def sso


self.resource = warden.authenticate(auth_options)
resource_name = self.resource_name
sign_in(resource_name, resource)
if member_signed_in?
# redirect to forum
sig = params[:sig]
sso = params[:sso]
if OpenSSL::HMAC.hexdigest(‘sha256’, SSO_SECRET, sso) == sig
nonce = Base64.decode64(sso)
sso = Base64.encode64(nonce + ‘&username=’ + resource.nick + ‘&email=’ + + ‘&external_id=’ +
sig = OpenSSL::HMAC.hexdigest(‘sha256’, SSO_SECRET, sso)
return_params = { sso: sso, sig: sig }
redirect_to generate_url( FORUM_URL, return_params )
redirect_to root_path, alert: t(’.sign_in’)