SSO stopped working after upgrade to 2.6.2 (from 2.5.1)

On trying to login, it always returns:

“Login Error
Account login timed out, please try logging in again.”
on https://domain/session/sso_login?sso=bm9…&sig=e4f7…

and the Verbose SSO log has “Nonce has already expired”, I don’t see any other error messages.

It doesn’t work on both prod and dev environment, so I don’t think that it is related to the server configuration, nothing was changed in SSO code too.

I need some direction on where to dig in further, did something change in SSO or were any new configuration options added between 2.5.1 and 2.6.2?

Can it be the result of the recent:
Attach DiscourseConnect (SSO) nonce to current session

?

Are you able to share a link to your site? Do you have any unusual setup with an app, or are users simply using a browser?

Thanks for the details via PM @rysher. In case it helps anyone else, the problem here was that the DiscourseConnect flow is being initiated by a server-side request from the identity provider. This isn’t how the protocol is designed to be used, although before the recent security commit, it was technically possible.

The solution is to make sure that the users are directed to /session/sso in their own browser, before being redirected to the identity provider.

3 Likes