RuntimeError Bad signature for payload during SSO login and signup

(Neil Lalonde) #1

We’re seeing a lot of people having trouble writing the code for their websites to integrate with Discourse’s single sign on, getting

RuntimeError “Bad signature for payload”

This topic outlines the process, but if your code is calculating something incorrectly, then your users will get that unhelpful error.

The first step to solving this problem is to compare your code with the samples provided in the sso category:

Let’s post solutions in this topic. What was wrong and how was it fixed?

(Neil Lalonde) #2


The relevant code from the PHP code sample is here:

$params = array(
  'nonce' => $nonce,
  'name' => $current_user->display_name,
  'username' => $current_user->user_login,
  'email' => $current_user->user_email,
  'about_me' => $current_user->description,
  'external_id' => $current_user->ID

$payload = base64_encode(http_build_query($params));
$sig = hash_hmac("sha256", $payload, $sso_secret);

http_build_query(array("sso" => $payload, "sig" => $sig));

It’s possible that using urlencode instead of http_build_query can cause the “Bad signature for payload” error.