SSO Stopped working 🤔

Hey guys!

I’m processing the SSO authentication in my PHP backend. I start by sending a curl request to my SSO URL (https://forum.latranchee.com/session/sso) so I can get the SSO Payload and SIG, then proceed to create my own payload to create the proper redirect url.

Here’s where it gets weird…

If I access https://forum.latranchee.com/session/sso in my browser, copy/paste the SSO and SIG into my script, the final redirect URL will work.

If I get it through CURL, the final redirect will show an error message and I’ll have this in my log:

Verbose SSO log: Nonce has already expired

I’m at a loss here… The problem seemed to have appeared out of no where and now my users can’t log in.

Did discourse change something to prevent bots from pigning /session/sso?

Yes, the nonce is now attached to the session of the user that it was generated for. It looks like the problem you are having is related to this:

Instead of making a curl request, the expectation is that the user who is to be authenticated will visit /session/sso, either by clicking the site’s Log In button, or by being redirected to /session/sso from your application. When they do that, they will be redirected back to your application by Discourse. The nonce that is found in that payload will be valid.

That’s what I’ve had to do to fix the issue, but that breaks my asynchronous login process. I really liked doing things that way.

I’ve also tried doing it through Axios. I would’ve expected it to work since the request is coming from the client. It doesn’t seem to be working either.

If you think of a way I could implement an asynchronous login process, I would welcome any tips! In any case, thank you for the response, greatly appreciated.