we’re using Discourse [v2.3.0.beta2 +130] with SSO. For a few months now (sorry that I can’t pinpoint the exact update that caused the issue) collegues are reporting SSO redirect loops (followed by 429 errors which is ok) when clicking on discourse links in webmail clients. This only happens, if one is already logged in. We can reproduce in Firefox and Chrome on Windows and Linux. Steps to reproduce:
When logged out of discourse (all cookies cleaned etc)
Click on a Disourse link in Gmail or Zimbra
A new tab opens with the Discourse URL
After getting redirected to our SSO login enter your credencials
You get successfully logged in
Click on another Discourse link in Gmail or Zimbra
A new tab opens with the Discourse URL
You get redirected to the SSO login
Then you get redirected back to Disrourse with the token in the URL
Then Discourse redirects you back to the SSO login
and so on …
Strangly this doesn’t happen if the link is copy/pasted instead of clicked on. This strikes me as weird.
I’d be interested to check the email provider responsible for sending emails on behalf of your discourse install, I’ve seen similar behaviour on a client when they accidentally enabled email tracking (which essentially rewrites the links) on the discourse emails.
There can be other potential candidates too which may need the forum link for identification.
It’s a real desktop browser. Right-click → copy link location → paste works. A simple left-click opens a new tab and then hangs in the loop. I don’t know if some Javascript is interfering with what’s actually happening or if it’s just a target=blank.
When clicking on the link I’m in the redirect loop, if I copy/paste it it works.
I’m … puzzeled.
The only thing I can think of that’s different in a browser when clicking on a link vs. copy/pasting the link is the referrer.
Sorry if maybe I’m saying the most obvious but I see the problem origin on this issue on WebKit WebView
I tried workarounds mentioned here on discourse forum with no success
One of my colleagues (he’s a web programmer, me not) purposed to change something on the SSO provider (not myforum.com/session/sso_provider) so that when it calls the forum sends a GET in URL querystring with an extra parameter login=mylogin
Likely the token creation call goes
from myssoprovider.com/sso?sso=xxxxx&sig=xxxxx
to myssoprovider.com/sso?sso=xxxxx&sig=xxxxx&login=mylogin
But AFAIK it’s not possible to implement such a thing on discourse side from settings panel, rather it’s a mod that goes deeper and can cause problems or going lost in updates.