I am using wordpress as the sso client. meaning discourse handles all the logins and user profiles.
But I keep getting the expired nonce error only when I am signed out of my discourse forum.
However, when i am signed into my discourse forum, it works immediately, it doesn’t even redirect me to sign in on discourse.
I think it’s worth mentioning that I recently changed my domain. However, I followed the tutorial on here again and made sure everything was setup properly. So I don’t think thats the issue.
@codinghorror you seem to be an expert at this stuff. Any help would really be appreciated
Can you check your SSO settings on Discourse? You can see all of them by entering ‘sso’ into the settings search box. When Discourse is used as the SSO provider, the SSO secret is on Discourse is now being taken from the ‘sso provider secrets’ setting.
If the value of this setting doesn’t match the value of your WordPress sso secret, create a new ‘sso provider secrets’ domain/secret pair. Enter * as the domain and your secret as the secret. Click the icon and then click the green checkmark to save the setting.
Thanks for looking. That setting is not yet available on your version of Discourse, so it won’t be the cause of the problem. I’ll try to reproduce the error and get back to you about this. I may not be able to look at this closely until tomorrow.
Extra information: I have taken a look at the database on Wordpress side and sometimes the nonce is not stored in the wp_discourse_nonce table. I suspect this has to do with Cloudflare caching the redirect although there is a pragma: no-cache on the response.
I’ve run into a similar issue on another site. In that case, the problem seems to be caused by Object Caching for anonymous users.
As a temporary fix, could you try updating the wp-discourse plugin to version 1.8.0 (it’s in the WordPress repo now) and then adding the following code to your theme’s functions.php file?
All the code is doing is generating a unique string for the login link to break the object cache. Calling wp_generate_password is a simple way to do this. This should work as long as the Login With Discourse link is on a page that is not cached.
Let me know if you have any trouble adding the code to your theme. And also, if this fixes the issue for you. I’ll work on creating a better fix for the problem over the next week.