SSO Stopped working 🤔

Hey guys!

I’m processing the SSO authentication in my PHP backend. I start by sending a curl request to my SSO URL ( so I can get the SSO Payload and SIG, then proceed to create my own payload to create the proper redirect url.

Here’s where it gets weird…

If I access in my browser, copy/paste the SSO and SIG into my script, the final redirect URL will work.

If I get it through CURL, the final redirect will show an error message and I’ll have this in my log:

Verbose SSO log: Nonce has already expired

I’m at a loss here… The problem seemed to have appeared out of no where and now my users can’t log in.

Did discourse change something to prevent bots from pigning /session/sso?

Yes, the nonce is now attached to the session of the user that it was generated for. It looks like the problem you are having is related to this:

Instead of making a curl request, the expectation is that the user who is to be authenticated will visit /session/sso, either by clicking the site’s Log In button, or by being redirected to /session/sso from your application. When they do that, they will be redirected back to your application by Discourse. The nonce that is found in that payload will be valid.

1 Like

That’s what I’ve had to do to fix the issue, but that breaks my asynchronous login process. :frowning: I really liked doing things that way.

I’ve also tried doing it through Axios. I would’ve expected it to work since the request is coming from the client. It doesn’t seem to be working either.

If you think of a way I could implement an asynchronous login process, I would welcome any tips! In any case, thank you for the response, greatly appreciated.

1 Like