SSO issue: I end up logged in as another Discourse user


(Christopher Heald) #1

I have Wordpress set up as the Discourse SSO provider, and when I register on Wordpress and log in the first time, SSO works properly, and a new Discourse account is created for my new user.

However, when I go from my Wordpress site to my user profile on the Discourse site, I see my profile as I would see another user’s profile. And my avatar changes over to another users’ avatar. Clicking on the avatar user menu takes me to that user’s profile, with full privileges for that user. I end up logged into Discourse as another user. This is scary:

I am reliably hitting this issue. Anybody have any ideas how to troubleshoot and/or resolve?


(Jeff Atwood) #2

You definitely have SSO implemented incorrectly. I can tell you that with 100% certainty :wink:


(Christopher Heald) #3

A better explanation would be helpful. When I login as my admin user, I don’t see this issue. If SSO weren’t implemented correctly, wouldn’t this issue occur all the time?


(Christopher Heald) #4

It’s actually only happening for one user, as far as I can tell. This still should not happen.


(Jeff Atwood) #5

Well, identity on the Discourse side is based on email, which must be unique and validated. Any email overlap there?


(Christopher Heald) #6

There is no email overlap between the two users, but this is on my dev site, which is running a restored backup of my live site.

As a Discourse admin, I compared Single Sign On information for the record of the user who my test user ended up logging in as, on both my dev and production sites. The record looks fine on production (correct user email and username), whereas the dev site record has my test user’s email and user name in place of the target user’s email and user name. However both records have the same External ID.

I’m chalking this up to dev server weirdnesses, where I have had to repeatedly delete and re-create users. A couple of things that possibly could have caused this, as a heads-up to others:

  • When I first set up my dev server, Discourse was still trying to authenticate SSO against the production Wordpress server instead of the dev Wordpress server. Not good.
  • During testing on dev server, I have deleted and recreated test users several times from the Wordpress users, but not necessarily from the Discourse users. No idea what behavior that could cause.

(Kane York) #7

This would do it. Try not to restore backups from dev into prod.


(Christopher Heald) #8

Agreed.

I would also add that if you are running Discourse in an SSO setup, maintaining separate backups of Discourse and Wordpress (in our case) could lead to a world of hurt if you need to do a full recovery.

[Edit:] Actually - what is the recommended backup solution for a Wordpress-Discourse SSO site?