sso.php

<?php
include_once('page.php');

require_once('settings.php');
require_once('db.php');
require_once('auth.php');

if (!isset($_GET['sso']) || !isset($_GET['sig'])) {
    echo('Invalid request!');
    return;
}

if ($user == null) {
    return;
}

// Decode signature received from Discourse
$raw_payload = urldecode($_GET['sso']);
$payload = base64_decode($raw_payload);
$signature = urldecode($_GET['sig']);

// Hash signature to match with.
$discourse_signature = hash_hmac("sha256", $raw_payload, $discourse_secret);

// Validate signature.
if ($discourse_signature != $signature) {
    echo('Unauthorized request!');
    return;
}

// Get query data from payload
$payload_data = array();
parse_str($payload, $payload_data);

// Add user details to payload
$payload_data['email'] = $user['email'];
$payload_data['external_id'] = $user['user_id'];
$payload_data['username'] = $user['user_name'];
if ($user['role_id'] != null && isset($roles_to_group[$user['role_id']])) {
    $payload_data['add_groups'] = $roles_to_group[$user['role_id']];
}
$payload_data['custom.user_field_1'] = $user['rank'];
$payload_data['custom.user_field_2'] = $user['games'];

// Create payload and encode it
$payload_query = http_build_query($payload_data);
$return_payload = base64_encode($payload_query);

// Create return signature
$return_signature = hash_hmac("sha256", $return_payload, $discourse_secret);

// Redirect back
$redirect_url = $payload_data['return_sso_url'] . '/?sso=' . $return_payload . '&sig=' . $return_signature;
header('Location: ' . $redirect_url);
exit;