-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF detected #49
Comments
This might or not applied to you, but we ran in a similar problem using omniauth-auth0 and the devise omniauth integration. In our case, we manually generated the authorize url instead of relying on the omniauth route helper ( You will want to make sure that this method https://github.com/intridea/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L51 gets called as part of the request generation. |
I'm having the same problem. It seems that the Auth0 Lock dialog is broken with this version of the gem. It works if I do what the README says and just redirect the user to As far as I can tell, OmniAuth-OAuth2 is expecting the callback URL to include a |
Auth0 will return the state value if you pass it as a parameter when you send the user to the Auth0 authentication page. For it to work, the authorize request should look something like:
If you use the In our case, it looks something like this:
class AuthenticationController < Devise::OmniauthCallbacksController
def login
redirect user_auth0_omniauth_authorize_path
end
...
end I hope it helps. |
@pouellet thanks so much, that really did help! I'm now |
Thanks @pouellet. That seems to be the same flow as linking the user to @rjocoleman mentioned using That said, I'm not sure if this gem is where this problem needs to be tackled. Perhaps |
@MattFenelon I was using lock.js, but I took it out and started using the hosted login page. Take a look at both the |
This is not working for me. I pass a I'm using <script>
// Decode utf8 characters properly
var config = JSON.parse(decodeURIComponent(escape(window.atob('@@config@@'))));
config.extraParams = config.extraParams || {};
config.responseType = config.extraParams.response_type;
config.dict = {
email: {
headerText: "Enter your email to sign in"
},
title: "My Title"
};
config.closeable = false;
var connection = config.connection;
var prompt = config.prompt;
var loginHint = config.extraParams.login_hint;
var lock = new Auth0LockPasswordless('key', 'my-domain.auth0.com');
lock.emailcode(config);
</script> |
OK, I figured this out. When passing a Here's the updated script example: <script>
// Decode utf8 characters properly
var config = JSON.parse(decodeURIComponent(escape(window.atob('@@config@@'))));
config.extraParams = config.extraParams || {};
config.responseType = config.extraParams.response_type;
config.dict = {
email: {
headerText: "Enter your email to sign in"
},
title: "My Title"
};
config.closeable = false;
config.authParams = {
scope: 'openid profile', // Learn about scopes: https://auth0.com/docs/scopes
state: config.extraParams.state
};
var connection = config.connection;
var prompt = config.prompt;
var loginHint = config.extraParams.login_hint;
var lock = new Auth0LockPasswordless('key', 'my-domain.auth0.com');
lock.emailcode(config);
</script> Maybe someone from the Auth0 team can comment on why the |
I got CSRF working w/ Lock. omniauth (1.6.1) session_helper.rbmodule SessionHelper
def state_meta_tag
state = SecureRandom.hex(24)
session['omniauth.state'] = state
tag('meta', name: 'state', content: state)
end
end application.html.erb<%= csrf_meta_tags %>
<%= state_meta_tag %> session.js.erbvar options = {
auth: {
redirectUrl: '<%= Rails.application.routes.url_helpers.auth_callback_url(:oauth2) %>',
responseType: 'code',
params: {
scope: 'openid email',
state: $('meta[name="state"]').attr('content')
}
},
theme: {
primaryColor: '#EA5A52'
}
};
var lock = new Auth0Lock('<%= ENV['AUTH0_CLIENT_ID'] %>', '<%= ENV['AUTH0_DOMAIN'] %>', options);
lock.show(); |
@atwoodjw can you specify which version of the omniauth gems? (omniauth, omniauth-auth0, omniauth-oauth2) The problem arise only when switching to omniauth-auth0 version 2.0.0, so at least some upgrading instructions should be provided for customers going to the next major release. |
Sure. omniauth (1.6.1) Yes, the issue only arrises in omniauth-auth0 (2.0.0) because |
Above @atwoodjw worked like a charm. But I am not able to achieve this for IdP initiated SSO as the IdP first authenticate and the callback URL is called directly from auth0. There is no way that you can store any state param in session as the request is initiated from IdP. Request to suggest any best practices |
@errfanwadia I ran into similar issue when doing impersonation. Everything happens on the Auth0 side before the callback to omniauth. The only solution I'm aware of so far was to disable the state check |
@joshcanhelp Needs sorted. |
Sorry for the long delay, picking up on this repo now. We will be going through some updates soon. |
Chiming in here since the fixes are using old versions of our libraries that should be updated. Again, apologies for the long delay in response here. See my comment here for an example of how to use this library with Lock. Make sure you're using the latest major/minor version of Lock, preferably the latest (11.7.x as of this writing). This library includes Passwordless now as well, no need for the separate library. That said ... you're best off using the universal login page (redirecting to Thank you @atwoodjw for the example posted! @hoverlover - those are parameters sent to the @errfanwadia - If you're still struggling with this, please open a new issue with information about your setup so we can troubleshoot that. |
https:///users/auth/auth0/callback |
class AuthenticationController < Devise::OmniauthCallbacksController def login ... |
Today I tried to sign in to https://code.videolan.org by using github.com. I got a pin , but it failed with CSRF detected. What should I do? How should I understand your comment? Is it fixed or not? Or is it a bug on https://code.videolan.org? |
Using
omniauth-auth0
v2.0.0 but otherwise following the Rails 5 guides in the docs leads to acsrf_detected
error coming out of omniauth.provider_ignores_state = true
used to be set in the provider by default. This was removed in v2.0.0. Setting this explicitly avoids the CSRF detected error but it doesn't seem like a good idea.Is there another suggested implementation to avoid setting
provider_ignores_state = true
?The text was updated successfully, but these errors were encountered: