After a rebuild today with 3.3.3 (latest stable released a few days ago), SSO stopped working. Still logged in users are fine for now, but new sessions end the SSO flow with the error:
Account login timed out, please try logging in again.
Enabling verbose discourse connect logging shows
Verbose SSO log: Nonce is incorrect, was generated in a different browser session, or has expired
However, nothing on our SSO flow has changed in the last years. Clocks between servers are in sync.
On the other hand, we have very recently updated to 3.3.3 (from 3.3.2) which has security fixes related with Discourse Connect which could be related.
Unlikely relevant, but the rebuild was to enable a CDN. But, I have already reverted all those changes and the SSO issue remains.
After several rebuilds, I was able to make SSO work again by pinning it back to v3.3.2 so it does seem that something was introduced in v3.3.3 that broke SSO support.
I had a cursory look at a git diff v3.3.2 v3.3.3 and nothing obvious jumped out, but it does have changes related to Discourse Connect.
However, I suspect this will start hitting more people as they move into 3.3.3 and user sessions starts to expire and fail to renew. Maybe worth a closer look by someone who knows the code, specially the SSO flow? /cc @sam
PS: Not sure if it may be relevant: I had updated to 3.3.3 over a day ago, but the issues seem to only come up soon after a rebuild via the console few hours ago (to enabled a CDN, but reverting that didn’t fix SSO).
Yes, in the sense that most people run the tests-passed branch, but no in this sense that it’s the latest release on the stable branch, shipped this week: 3.3.3: Security and maintenance release