"CSRF detected" with Omniauth and Google

StackOverflow https://stackoverflow.com/questions/22386149

Question

I'm getting this

OmniAuth::Strategies::OAuth2::CallbackError at /auth/google/callback csrf_detected | CSRF detected

My code:

require 'sinatra'
require "sinatra/json"
require "sinatra/config_file"
require 'omniauth-oauth2'
require 'omniauth-google-oauth2'

use Rack::Logger

config_file "config/app_config.yml"
use Rack::Session::Cookie, secret: '5fb7w345y3489f523y4h'

configure do
  enable :sessions
end

use OmniAuth::Builder do
  provider :google_oauth2, settings.google[:client_id], settings.google[:secret],
    {
      :scope => "userinfo.profile",
      :access_type => "offline",
      :prompt => "select_account consent",
      :name => "google"
    }
end

get '/list' do
  json get_list
end

get '/' do
  %Q|<a href='/auth/google'>Sign in with Google</a>|
end

get '/auth/:name/callback' do
  @auth = request.env['omniauth.auth']
  @auth.inspect
end

My callback is returning both code and state.

Était-ce utile?

La solution 3

Got the same problem

(google_oauth2) Callback phase initiated.
(google_oauth2) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

Last Omniauth-oauth2 update introduced the "state" param has a mandatory field.

Some people suggest using provider_ignores_state: true but it's a bad idea because it introduces csrf flaw

Guess we'll have to downgrade to previous version to keep google_oauth2 working.

Issue it on https://github.com/intridea/omniauth-oauth2/issues/58

Autres conseils

This problem occurs with rails when the domain defined in /config/initializer/session_store.rb is different from the origin/redirect_uri defined in the google api console.

MyApp::Application.config.session_store :cookie_store, key: '_app_session', domain: 'my_app.com'

Removing the domain params or using the same domain on both sides fixed the problem.

If you are using Devise with OmniAuth you need to skip the extra omniauth.rb initializer file and simply add config.provider "KEY", "SECRET" inside your initializers/devise.rb and then carry on with your implementation.

Are you hitting back and reattempting to log in? I was getting this issue and it was really confusing me, but it was because I was going back to retry. If I typed in the address again, I wouldn't get the issue

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top