SSO 和带加号的电子邮件地址

thabbs · 2018 年10 月 1 日 13:39

I’m not sure if this is an implementation error on my side or if this is a bug in the SSO implementation of Discourse.
Users having a plus-extension in the local part of their e-mail address got an error since Discourse interpretes the plus sign as space.

Following Official Single-Sign-On for Discourse (sso) I must not urlencode the payload before encoding it to base64.

Here my basic implementation, written in php:

$email = 'user+extension@example.com';
$payload = base64_encode($nonce. "&email={$email}&external_id={$external_id}&username={$realname}&name={$realname}");
$return_sig = hash_hmac('sha256', $payload, $token);
header("Location: $referer/session/sso_login?sso=". rawurlencode($payload) ."&sig=". $return_sig);

Discourse throws the error: “Nonce has already expired” and writes down the e-mail address as “user extension@example.com” with a space instead of a plus sign.

sam · 2018 年10 月 2 日 01:30

You need "nonce=" . $nonce. there…

thabbs · 2018 年10 月 2 日 07:30

This is already there and was not the reason for my request.

(
    $nonce = base64_decode($sso);
    # starts with nonce=...
)

david · 2021 年4 月 14 日 10:46

我知道有点晚了，但如果其他人也遇到这个问题，希望能帮上忙。

实际上，我们应该在 base64 编码之前对负载进行 URL 编码。我们的 WordPress 插件和 Ruby 实现都使用库函数来构建负载，这些函数会自动处理编码问题。

我已更新文档以使其更加明确：

话题		回复	浏览量
Registration email address special characters Support	2	475	2021 年8 月 16 日
Watch out for double url encoding of SSO payload SSO	0	1549	2019 年7 月 28 日
Implementing SSO, nonce immediately expires Support	3	2083	2024 年6 月 8 日
SSO - "There is a problem with your account. Please contact the site's administrator." SSO	17	4829	2024 年3 月 2 日
HMAC-256 example on Official SSO page SSO	3	2699	2018 年9 月 11 日

SSO 和带加号的电子邮件地址

相关话题