Authentication failure! csrf_detected #443
Comments
|
I'm having the same error: csrf_detected. ruby version: 3.2.2 I'm not sure, but it may be related to this gem as well: https://github.com/cookpad/omniauth-rails_csrf_protection |
|
Does any version of rack v3 work? Might want to add this to the docs. |
It is working for me on Rails 7.1 with Rack 3.0.8. |
|
It's working in the dev environment but does not in the Prod. |
|
@viktor-shmigol The project I am working on is still under development. I'll get back to you when it gets deployed. I think it should works as well. Since the only different are oauth2 credentials and redirect_uri. |
|
I'm seeing a similar issue here (although I'm using standard Rails not React) when trying to use Google One Tap with Omniauth as per https://developers.google.com/identity/gsi/web/guides/display-button. I'm using: My initializer is: Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2,
Rails.application.credentials.google.client_id,
Rails.application.credentials.google.client_secret
{
provider_ignores_state: true
}
endAnd my view is: <script src="https://accounts.google.com/gsi/client" async></script>
<div id="g_id_onload"
data-client_id="<%= Rails.application.credentials.dig(:google, :client_id) %>"
data-login_uri="<%= auth_callback_url(:google_oauth2) %>"
data-auto_prompt="false">
</div>
<div class="g_id_signin"
data-type="standard"
data-size="large"
data-theme="outline"
data-text="sign_in_with"
data-shape="rectangular"
data-logo_alignment="left">
</div>The Google flow works but Omniauth complains when the callback is received: If I don't try and use the Google One Tap in this way: <%= button_to "Log in with Google", google_auth_path, data: { turbo: false } %>Then it works fine, no CSFR error at all. However, there is a subtle difference. When I use the standard As you can see there is the additional POST to If anyone has a workaround for this, I'd love to know. Perhaps Omniauth is not (yet) compatible with Google One Tap sign in? |
|
@Gasol did it work in prod for you? |
|
Are there any news or solutions? I'm facing the same issue trying to run a react on rails app with Devise and omniauth. |
|
If two libraries are not working, it is very likely the google app is not configured correctly. Make sure your callback paths are correct. |
I'm setting up a single page application using react that has ruby on rails as the backend. I have my google api credentials and I have the front end sign in with google setup according to these instructions. https://developers.google.com/identity/gsi/web/guides/client-library
When I click the sign in button I can auth with google successfully and I'm redirected to the callback url. I have a controller method setup but the code is throwing an exception prior to running any of it. I get the following error message:
I've narrowed the exception code down to these lines here. https://github.com/omniauth/omniauth-oauth2/blob/3a43234ab5dd36a75f9c125c58fcfe1a37b26805/lib/omniauth/strategies/oauth2.rb#L86-L87
Both
!options.provider_ignores_stateandrequest.params["state"].to_s.empty?evaluate to true. It looks like it's expecting a parameter calledstatebut the POST request that google's javascript api is sending only contains the parameterscredentialswhich contains a JWT andg_csrf_token.Am I missing something here? Am I using the wrong libraries or something?
ruby version: 3.2.2
rails version: 7.0.4.3
devise gem 4.9.2
omniauth gem 2.1.1
omniauth-google-oauth2 gem 1.1.1
The text was updated successfully, but these errors were encountered: