SSO e endereços de e-mail com sinal de mais

I’m not sure if this is an implementation error on my side or if this is a bug in the SSO implementation of Discourse.
Users having a plus-extension in the local part of their e-mail address got an error since Discourse interpretes the plus sign as space.

Following Official Single-Sign-On for Discourse (sso) I must not urlencode the payload before encoding it to base64.

Here my basic implementation, written in php:

$email = 'user+extension@example.com';
$payload = base64_encode($nonce. "&email={$email}&external_id={$external_id}&username={$realname}&name={$realname}");
$return_sig = hash_hmac('sha256', $payload, $token);
header("Location: $referer/session/sso_login?sso=". rawurlencode($payload) ."&sig=". $return_sig);

Discourse throws the error: “Nonce has already expired” and writes down the e-mail address as “user extension@example.com” with a space instead of a plus sign.

You need "nonce=" . $nonce. there…

This is already there and was not the reason for my request.

(
    $nonce = base64_decode($sso);
    # starts with nonce=...
)

Um pouco tarde, eu sei. Mas caso alguém mais encontre esse problema.

Na verdade, devemos fazer urlencoding do payload antes de codificá-lo em base64. Nosso plugin do WordPress e nossa implementação em Ruby usam funções de biblioteca para construir o payload, o que automaticamente cuida da codificação.

Atualizei a documentação para deixar mais explícito: