I’m processing the SSO authentication in my PHP backend. I start by sending a curl request to my SSO URL (https://forum.latranchee.com/session/sso) so I can get the SSO Payload and SIG, then proceed to create my own payload to create the proper redirect url.
Here’s where it gets weird…
If I access https://forum.latranchee.com/session/sso in my browser, copy/paste the SSO and SIG into my script, the final redirect URL will work.
If I get it through CURL, the final redirect will show an error message and I’ll have this in my log:
Verbose SSO log: Nonce has already expired
I’m at a loss here… The problem seemed to have appeared out of no where and now my users can’t log in.
Did discourse change something to prevent bots from pigning /session/sso?