Wordpress SSO Expired nonce

I am using wordpress as the sso client. meaning discourse handles all the logins and user profiles.

But I keep getting the expired nonce error only when I am signed out of my discourse forum.

However, when i am signed into my discourse forum, it works immediately, it doesn’t even redirect me to sign in on discourse.

I think it’s worth mentioning that I recently changed my domain. However, I followed the tutorial on here again and made sure everything was setup properly. So I don’t think thats the issue.

@codinghorror you seem to be an expert at this stuff. Any help would really be appreciated

1 Like

Was it working correctly for you previously? If so, was anything changed other than the domain name?


Yes it was working correctly. And nothing has changed but the domain name, the API, and secret key

Thanks for replying.

Can you check your SSO settings on Discourse? You can see all of them by entering ‘sso’ into the settings search box. When Discourse is used as the SSO provider, the SSO secret is on Discourse is now being taken from the ‘sso provider secrets’ setting.

If the value of this setting doesn’t match the value of your WordPress sso secret, create a new ‘sso provider secrets’ domain/secret pair. Enter * as the domain and your secret as the secret. Click the :heavy_plus_sign: icon and then click the green checkmark to save the setting.

Let me know if this doesn’t solve the problem.

they do match

But I’ll do the rest anyway.

Is this what you mean by that:

And I don’t see a + icon anywhere either

The setting is called ‘sso provider secrets’. I need to update the plugins docs for the new setting.

If you are not finding this setting, can you let us know what version of Discourse you are on?

1 Like

I don’t have the setting and I don’t know how to check what version I am on. Im with https://www.communiteq.com/

Thanks for looking. That setting is not yet available on your version of Discourse, so it won’t be the cause of the problem. I’ll try to reproduce the error and get back to you about this. I may not be able to look at this closely until tomorrow.

Okay no problem. Do you need access to my wordpress or discourse or anything?

I can even create an account for you on my site so you can checkout the problem right there. Thanks!

The nonce going back and forth is the same, so it must be in this code in the Wordpress plugin


Off topic: why is this not being oneboxed?

Could it be this issue?

1 Like

Yes, that’s possible, but since it was working previously it would only be the cause if the WordPress site’s server has changed.

1 Like

You have a zero-width space in front of that link :wink:.



Extra information: I have taken a look at the database on Wordpress side and sometimes the nonce is not stored in the wp_discourse_nonce table. I suspect this has to do with Cloudflare caching the redirect although there is a pragma: no-cache on the response.



I’ve run into a similar issue on another site. In that case, the problem seems to be caused by Object Caching for anonymous users.

As a temporary fix, could you try updating the wp-discourse plugin to version 1.8.0 (it’s in the WordPress repo now) and then adding the following code to your theme’s functions.php file?

add_filter('wpdc_sso_client_query', 'wpdc_custom_sso_client_query' );
function wpdc_custom_sso_client_query() {
    return wp_generate_password( 12, false );

All the code is doing is generating a unique string for the login link to break the object cache. Calling wp_generate_password is a simple way to do this. This should work as long as the Login With Discourse link is on a page that is not cached.

Let me know if you have any trouble adding the code to your theme. And also, if this fixes the issue for you. I’ll work on creating a better fix for the problem over the next week.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.