Watch out for double url encoding of SSO payload

We’ve been having a ton of problems with our SSO implementation recently and after a lot of debug work found the issue.

Some of our issues included:

  • New users being unable to sign into the forums
  • Existing users having 7 added to the end of their username when they signed in for the first time
  • sso_sync rejecting username changes

It turns out this was all caused by double URL encoding our SSO payload. We were encoding it, putting it in the URL with the signature and encoding that again. As base64 encoded strings can include =, this got encoded TWICE into %253D rather than %3D as it should be. I have no clue why this only broke Discourse sometimes but hopefully if someone else has this issue this may be of help.