Sporadic issue wp-discourse/SSO: Nonce has already expired


(Leah Kramer) #1

Hi. We have this sporadic issue a couple of times per month where:

  1. a user signs up in WordPress
  2. they go to our Discourse forum and press the blue Login button
  3. the page hangs for several seconds (about 30) and then we get a 502 bad gateway error and the person is not logged in to Discourse nor is an account created

The URL that’s hanging on is:
https://OUR-FORUM-URL/session/sso_login?sso=LOTS-OF-BIG-LONG-ARGUMENTS

Over in the Discourse logs I see this (I’m not including real user info):

Verbose SSO log: Nonce has already expired nonce: bff3e6d112bb037832af3d0753cc1b3a name: FIRST LAST username: SOME-USERNAME email: SOME-EMAIL-ADDRESS avatar_url: https://secure.gra.....

I’ve searched here for “Nonce has already expired” but couldn’t find a solution that seemed applicable here. Especially since it’s very sporadically occurring with no clear pattern to it.

Any ideas?

Thanks!


(Simon Cossar) #2

That indicates that the nonce that is passed with the SSO payload has already been used. I’m wondering if this is related to customizations that have been made for Membermouse. If you could enable the verbose SSO logging setting on Discourse, it might be possible to get some information from the logs about what is happening.


#3

I used a similar method in several projects with lastest version of Wordpress and Discourse. I used Wordpress as SSO provider. It works correctly.

Are you using the standard Wordpress registration system? Custom functions on function.php can cause conflicts but it seems that your problem is not related to it. Also, you can check API and Webhooks.

After solving this problem you will probably need to be that:


(Leah Kramer) #4

Thanks @Simon_Cossar and @bekircem for the replies. So I came back 3 hours later and tried to reproduce the problem again and lo and behold it worked fine this time – i.e. Discourse created this user’s account with no issues.

It’s strange, between the two WordPress+Discourse sites I manage we have a dozen signups per day and this issue only pops up a couple of times per month. Whenever it happens, I’m able to reproduce it easily.

@Simon_Cossar, it looks like I already had “verbose sso logging” checked off. Where would I find the more verbose log information for future reference?


(Simon Cossar) #5

Go to Admin/Logs/Error Logs and then look for a date and time that’s close to when the error occurred. The SSO logs all start with the phrase Verbose SSO log.


(Leah Kramer) #6

Ah, I see, at the bottom of the screen. For the timestamp when this issue happened a few hours ago, the verbose SSO log contents are pasted below. I replaced anything sensitive with dashes but all those values looked normal.

I just now noticed that when I search my those Discourse logs for “Nonce has already expired”, I see that this issue actually happens once or twice per day.

Verbose SSO log: Nonce has already expired

nonce: bff3e6d112bb037832af3d0753cc1b3a
name: ----- -----
username: -----
email: -----@-----.-----
avatar_url: https://secure.gravatar.com/---------
avatar_force_update: false
require_activation: false
bio: 
external_id: ----
return_sso_url: 
admin: 
moderator: 
suppress_welcome_message: 
title: 
add_groups: 
remove_groups: 
groups: 
profile_background_url: 
card_background_url:

(Simon Cossar) #7

If you look back in the logs from there, do you see the same nonce being used for another SSO login attempt? You can use your browser’s search to look for it. A nonce shouldn’t appear more than twice in the logs - once for Started SSO process nonce and once if the nonce was used to login a user.

The other thing to look for is the time difference between when the nonce was created and when it was returned to Discourse.


Users losing group status?
(Leah Kramer) #8

OK I checked and the nonces are not being duplicated for any other login attempts. Whenever this issue is logged I see a pair of events like I pasted below.

They are often timestamped a minute apart (the seconds aren’t logged) which makes me wonder if Discourse is for some reason taking a really long time to do whatever it’s doing and by the time it’s done, it checks if the nonce is still valid but since X seconds have passed, it’s considered no longer valid/expired? That may be nonsense? :crazy_face: Just attempting to come up with an explanation. Does the code have something in it that says “this nonce must be cross-checked within X seconds?”

2 Aug 12:14 am
Verbose SSO log: Started SSO process nonce: 744992aea44953875d78b9c08781ae0e name: username: email: avatar_url: avatar_force_update: require_activation: bio: external_id: return_sso_url: http...

2 Aug 12:15 am	
Verbose SSO log: Nonce has already expired nonce: 744992aea44953875d78b9c08781ae0e name: ---- ---- username: ---- email: ----@----.--- avatar_url: https://secure.gravatar.com/avatar/---...

(Simon Cossar) #9

Yes, the nonce is valid for 10 minutes. From the log entries that you posted, the nonce expiry time isn’t the issue. I’ll look into this some more and see if I can find anything.


(Leah Kramer) #10

Another total long shot idea here – Is there a limit to the number of API interactions per hour? Just asking because this issue seems to resolve if I just try again several minutes or hours later.


(Simon Cossar) #11

Yes, there is a limit of 60 API requests per minute. This limit shouldn’t be affecting regular SSO login though. It will affect requests made to the sync_sso route - those requests include the API key.


(Jesse Perry) #13

This is an old-ish topic, but just wanted to share that I was having this same error message, but it was connected to the root issue that’s solved here: Imported Discourse -> Wordpress Users Get Error