Get 'invalid request' from sso, I verified the sso and sig in the link with third party hmac-sha256 tools (http://www.freeformatter.com/hmac-generator.html#ad-output), which is not much, but third part result is same as the var_dump from the wordpress plugin from pt-wp-discourse-sso, I have upgraded to latest version of discourse, same thing happened. Do you guys changed the algorithm in the sso and sig part.
Decode the sso part by base64, which is the nonce and return link, according to the instruction below(https://meta.discourse.org/t/official-single-sign-on-for-discourse/13045): it seems payload should be the nonce only, but I have tried nonce only with hmac_sha256, but still not much.
I currently bypass the validation of sso and sig, but I am not sure if there will cause security problem even with ssl? Please let me know if you have any suggestion, Thanks a lot!
Thanks a lot!