Rare SSO issue causing 500 error and no log entry

Hey there,

We have a rare bug (~5% of users) in our Discourse SSO implementation where the user authenticates against our backend, then is sent back to Discourse with the SSO and Sig parameters, but are returned the error message:

"There was a problem with you account. Please contact the site's administrator."

The user will be stuck in this message and be unable to continue, even on different browsers or devices. The following is then logged to the /var/discourse/shared/standalone/log/rails/production.log:

9638907-  Parameters: {"sso"=>"bm9uY2U9NDU2ZWMwNzhmNzdjZDI5NDIzMTA0NGZkZmU3MDlmNzkmZW1haWw9c2lsdmVydHJpczc5JTQwZ21haWwuY29tJmV4dGVybmFsX2lkPUE1OURCMjQ4ODIyNkM5RjYmdXNlcm5hbWU9U2lsdnJpcw==", "sig"=>"4ea1a0b741fe761e77cac5e0ce8c0385ae6c4b7b72fd37db298e64da82c8b180"}
9639164-  Rendered text template (0.0ms)
9639197:Completed 500 Internal Server Error in 51ms (Views: 0.9ms | ActiveRecord: 26.3ms)

Nothing is then logged to /var/discourse/shared/standalone/log/rails/production_errors.log or https://discourse.example.com/logs

We found a rather odd workaround. If we reset the user’s password in our backend, then log in on our computers, then set the password back to the original password, the users are then able to log in. /shrug

Any help would be greatly appreciated!

Is there anywhere else to look for info on these errors @sam?

Is verbose sso logging enabled per site settings?

I just enabled it, will wait for an error and let ya know.

Looks like it was

  Verbose SSO log: Record was invalid: User 
  {:ip_address=>"New registrations are not allowed from your IP address (maximum limit reached). Contact a staff member."}

Being caused by proxy users and Avast SafeZone users. I set the IP blocks to functionally unlimited (999999) and the problem has gone away for users. I’ll keep an eye on it for another day or so and see if it stays cleared up.