SSO login appears to have stopped working

jeffbonasso · January 23, 2022, 12:13pm

I have had SSO integration from my site for a few years now with no issue.

Recently users started saying that when they login it redirects to my site to login and then ends back up at Discourse still showing they need to Login. I having been trying to debug but I am not seeing any issues. It just seems like at the end when it does the redirect to Login something is going wrong.

When I look in Discourse the user account is created, but for some reason it is not logging them in.

Here is a quick video showing what I am seeing…

I followed this info:

…and am using the latest discourse-sso javascript library.

This is my AWS Lambda which is fronted by an API Gateway…

'use strict';

exports.handler = (event, context, callback) => {
    console.log(event);

    var discourse_sso = require('discourse-sso');
    var sso = new discourse_sso("********************"); // secret hidden

    var body = JSON.parse(event.body);

    var payload = body.sso; // fetch from incoming request 
    var sig = body.sig; // fetch from incoming request 
    
    if(sso.validate(payload, sig)) {
        var nonce = sso.getNonce(payload);
        
        var userparams = {
            // Required, will throw exception otherwise 
            "nonce": nonce,
            "external_id": body.externalId,
            "email": body.email,
            // Optional 
            "username": body.username,
            "name": body.name
        };
        
        console.log("User: " + JSON.stringify(userparams));
        
        var q = sso.buildLoginString(userparams);

        console.log("q: " + q);

        // Redirect
        var response = {
            statusCode: 200,
            headers: {
                "Access-Control-Allow-Origin": "*"
            },
            body: JSON.stringify({"q":q})
        };
        
        callback(null, response);
    } else {
        // What to do if doesn't validate?
        var responseError = {
            statusCode: 200,
            headers: {
                "Access-Control-Allow-Origin": "*"
            },
            body: JSON.stringify({"error":"SSO Validation Error"})
        };

        callback(null, responseError);
    }
};

When the Login button is clicked from Discourse it calls my web app where the user is validated and then if validation passes calls the following…

						if (state.get(["appState", "urlParams", "sso"]) && state.get(["appState", "urlParams", "sig"])) {
							var userMetadata = getUserMetadata(result);

							var body = {
								sso: state.get(["appState", "urlParams", "sso"]),
								sig: state.get(["appState", "urlParams", "sig"]),
								externalId: keyPrefix,
								email: userMetadata.email,
								name: userMetadata.name,
								username: username
							};

							request
								.post('https://**********.execute-api.us-east-1.amazonaws.com/prod/discourse-sso')
								.send(body)
								.end(function (err, res) {
									if (err || !res.ok) {
										alert(err.message);
									} else {
window.location.replace("https://forum.miralouaero.com/session/sso_login?" + res.body.q);
									}
								});
						}

Any help understanding what may be going on would be appreciated.

david · January 23, 2022, 12:25pm

This is most likely caused by a bug in Chrome 97, which was released this month. While we wait for Google to roll out a fix, we’ve added a workaround to Discourse. Upgrading your site to the latest version should solve the problem.

jeffbonasso · January 23, 2022, 12:59pm

Unfortunately I am using a hosting provider. Any other workarounds? If I turn off SSO off for the time being from Discourse and then turn back on when fixed will that wreak any havoc? I assume users would have to manually create an account in that case. When I re-enable just curious if then will create a new account associated with my system.

david · January 23, 2022, 1:31pm

I’m afraid not. Our managed discourse.org hosting is up-to-date. Can you share which provider you’re using? We might be able to get in touch and let them know about the update.

If email addresses match up, then it should work seamlessly. Initially, users will need to use the “forgot password” button to create a password

RGJ · January 23, 2022, 1:43pm

@jeffbonasso I see you’re hosted with us, we’re going to look for a solution for you. Can you please create a ticket using our control panel, referring to this topic?

No, that would work. If you turn it back on then the SSO will recognize the email address.
But existing users might have a hard time logging on, since they don’t have a password for the forum directly.

@david May I ask - which Discourse commit contains that fix?

david · January 23, 2022, 2:54pm

For the stable branch, this is the fix:

github.com/discourse/discourse

FIX: Bypass service worker on the SSO path (#15558) (#15560)

committed 12:08AM - 13 Jan 22 UTC

davidtaylorhq

+2 -2

This is a workaround a behavior change in Chromium v97. The following text was …sent to the blink-dev mailing list: > This change broke a SingleSignOn login on the FOSS software Discourse. We have a flow like: > > 1. User visits forum.siteA.com, click login > 2. Gets redirected to idp.siteB.com > 3. Fills login details > 4. Gets redirected to forum.siteA.com/session/sso_login?parameters > 5. Gets redirected to forum.siteA.com/homepage > > On step 4, the response includes a `set-cookie` header, with proper `HttpOnly; SameSite=Lax; Secure `and set. But if there is an active service worker, the login will fail as that cookie will be rejected by Chromium due to SameSite rules now. > > t=2971 [st=258] COOKIE_INCLUSION_STATUS > --> domain = "forum.siteA.com" > --> name = "_t" > --> operation = "store" > --> path = "/" > --> status = "EXCLUDE_SAMESITE_LAX, DO_NOT_WARN" > > The service worker is a vanilla WorkboxJS service worker that intercepts all GETs with the "Network First" strategy. > > Disabling the service worker or using Firefox results in a successful login. There is no warning in either DevTools network tab nor the console that the cookie was rejected. > > Chrome 96: login works > Chrome 97: login does not work > Chrome 98: login does not work > > Is this expected behavior? Even if the request `GET forum.siteA.com` was initiated because of a redirect from a different domain, is it expected that Chrome will silently drop same site cookies from forum.siteA.com? Co-authored-by: Rafael dos Santos Silva <xfalcox@gmail.com>

There is a similar commit on beta and tests-passed as well

RGJ · January 23, 2022, 3:16pm

Thank you David,

That fix is already present on your forum since January 13 @jeffbonasso , so this cannot be it (or the reports you got are from before that date?)

jeffbonasso · January 23, 2022, 4:48pm

The video I created was with a test user I created this morning and the behavior was consistent with what a customer was experiencing. Interesting, I just tried logging in with Safari and it worked. I then tried Chrome again and that is also now working. The Chrome version I just tested with is Version 97.0.4692.99 (Official Build) (x86_64). I am going to reach out to a customer who was having issues to see if they are still having issues.

jeffbonasso · January 23, 2022, 5:27pm

FYI…the customer reported they are using the Brave browser, a Chrome derivative. He said it is still not working, He then tried Edge and it is working.

sam · January 24, 2022, 4:47am

our bypass is chrome specific, we may need to extend the net here @Falco / @david

I wonder if we should add a site setting to disable service workers that people can flick on if they experience issues like this?

Falco · January 24, 2022, 4:51am

It’s already fixed in the latest Chrome version since 2022-01-19T03:00:00Z so I believe the Chrome derivatives will follow shortly as the release with this fix, 97.0.4692.99, also includes one critical and 15 high security fixes.

david · January 24, 2022, 10:23am

We applied the DiscourseConnect fix across all browsers. The later global fix was specific to Chrome, but it should also target Edge/Brave thanks to their user agent strings:

Edge: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Edg/97.0.1072.55'

And Brave apparently doesn’t customize the default chrome user agent

Topic		Replies	Views
SSO redirect loop support	9	1665	May 3, 2021
Issues using SSO in custom web app dev	10	1311	January 9, 2018
SSO redirect loop with Lax cookies, but only for my IPhone?! sso	10	3714	March 27, 2019
Problem with WordPress <> Discourse SSO for logged in users wordpress	8	993	March 13, 2023
SSO locked me out of Discourse! sso	35	12224	September 19, 2018

SSO login appears to have stopped working

Related Topics