Official Single-Sign-On for Discourse (sso)


(Cedric) #343

I’m getting an ERROR 403 after login in on the remote site… Any idea why?


(zqcolor) #344

Hi there:

Get ‘invalid request’ from sso, I verified the sso and sig in the link with third party hmac-sha256 tools (, which is not much, but third part result is same as the var_dump from the wordpress plugin from pt-wp-discourse-sso, I have upgraded to latest version of discourse, same thing happened. Do you guys changed the algorithm in the sso and sig part.

Decode the sso part by base64, which is the nonce and return link, according to the instruction below(Official Single-Sign-On for Discourse (sso)): it seems payload should be the nonce only, but I have tried nonce only with hmac_sha256, but still not much.

I currently bypass the validation of sso and sig, but I am not sure if there will cause security problem even with ssl? Please let me know if you have any suggestion, Thanks a lot!

Thanks a lot!

(Leo Giovanetti) #345

Hi @Joey_Tuan, thanks for sharing this, I too want to use Auth0 as seamless as possible but I couldn’t see how to use your instructions.

Can you please point me to some further documentation or maybe a blog post you did somewhere with the detailed instructions to make it work with Auth0?

Thanks a lot in advance.

(Tarak'ha (Sara)) #346

There appears to be a plugin that may help you with this.

I hope my efforts provide you with a good lead for your needs.

(Leo Giovanetti) #347

Hi @purldator,

Actually I already tried that plugin and it did not fulfill my needs as I wanted a more seamless experience.

You can see that @Joey_Tuan commented not to use it in order to go with a more simplified way to use Auth0 with Discourse:

Thanks anyway.

(Jay Patel) #348

is sso more preferred over normal login on discourse for long run?

(Jay Pfaffman) #349

Nor at all. SSO is appropriate when Discourse is added on to another site and you don’t want people to have to log in twice. If your users all work at the same company and are logged in there, for example SSO keys you integrate Discourse with other systems in the company.

(Joshua Rosenfeld) #350

At the same time, if the forum is independent of another site, or the other site doesn’t have a login/account system, SSO would be inappropriate as it would require users to go somewhere else to login (where?) without any benefits of logging in elsewhere.

(Jay Patel) #351

Oh Thanks Jay got it :slight_smile:


I’ve enabled SSO on our new Discourse site and I’m trying to create the SSO server but I’m getting kinda stuck.
Whenever I go to the forum I get immediately redirected to the sso page.

EDIT: Fixed the immediate redirect I had login required enabled.

Then when I redirect to the forum I get a message that says
Account login timed out, please try logging in again.

When I check the logs I see
Verbose SSO log: Nonce has already expired nonce: name: username: email: avatar_url: avatar_force_update: require_activation: bio: external_id: return_sso_url: admin: moderator: suppress_

I don’t really understand why it’s expired and it doesn’t let me access the forum anymore.
I haven’t fully implemented the SSO page it just fills in some temporary hardcoded data in the payload now but I don’t see why that would be the issue for this behavior because if I would return the data of a logged in user it would be exactly the same data.

This is the code I wrote for the SSO server for testing.


EDIT: Finally got it working :slight_smile:
I had $return_payload = base64_encode(urlencode($payload_query));
Without the urlencode it works :slight_smile:


I’m trying to set it up for Discourse to use Shopify. Not sure if it even works, I’m currently stuck at the first step. Can anyone please help?

(Malik Rumi) #357

Hello all. I am new here. I am trying to see if, and how well, I can integrate Discourse with my existing Python 3 site on Heroku. With regard to the above quote, I thought this was the whole point of SSO?! in other words, I thought what michaelr524 is asking here was the default behavior of SSO - for Discourse or any other app?! But apparently not. Where can I get good, detailed information on this issue? Are the IFRAME and js solutions proposed here the best/only options? I saw a reference to a Python LDAP on this same thread, so I am a little confused as to what is possible and what isn’t, and what works and what doesn’t. Anyone wishing to enlighten me is gratefully welcomed.

(Jay Pfaffman) #358

Indeed, but, as I understand it, you have to click login the first time because that’s what gets Discourse to copy the stuff over via SSO. Until they’ve logged in the first time, the account doesn’t exist in Discourse. Once they’ve connected once, they won’t need to log in again.


I have a feature request for error messages.

There are multiple things that can go wrong on the SSO side when authenticating a user. Currently the user will end up being stuck on the SSO page if there was a failure.
I believe the consumer (Discourse forums in this case) should always display what went wrong (if possible).

This is why I would like to see support for error message in the payload.


Which would display the error message when the user is redirected back to the forums.


(Jason Musgrave) #362

How does this coexist with Social Signup? I’ve got it working with an instance locally using the vagrant instructions. Enabling SSO appears to disable signup, does it disable the various social signup/logins as well?

(Sam Saffron) #363

SSO is all or nothing. It does not coexist with anything.

If you want a custom auth method you would implement a plugin and a oauth2 endpoint on your side.

(Jason Musgrave) #364

Thanks, @sam! Which oauth2 grant type do you support?

(Sam Saffron) #365

Nothing is built in, you will need to search for the oauth2 generic plugin in the #plugin category.

(Erlend Sogge Heggen) #366