I’m processing the SSO authentication in my PHP backend. I start by sending a curl request to my SSO URL (https://forum.latranchee.com/session/sso) so I can get the SSO Payload and SIG, then proceed to create my own payload to create the proper redirect url.
Yes, the nonce is now attached to the session of the user that it was generated for. It looks like the problem you are having is related to this:
Instead of making a curl request, the expectation is that the user who is to be authenticated will visit /session/sso, either by clicking the site’s Log In button, or by being redirected to /session/sso from your application. When they do that, they will be redirected back to your application by Discourse. The nonce that is found in that payload will be valid.
That’s what I’ve had to do to fix the issue, but that breaks my asynchronous login process. I really liked doing things that way.
I’ve also tried doing it through Axios. I would’ve expected it to work since the request is coming from the client. It doesn’t seem to be working either.
If you think of a way I could implement an asynchronous login process, I would welcome any tips! In any case, thank you for the response, greatly appreciated.