Valid Login, No Details: email=nil image=nil name="github|38257089" nickname=nil

[khrome-cape]

Missing Login Info

Description

I'm currently integrating omniauth SSO to an existing Devise based application. (Devise + omniauth + omniauth-auth0). After a little experimentation I was able to get auth working, but don't receive any of the metadata I would expect... instead I get:

#<OmniAuth::AuthHash::InfoHash email=nil image=nil name="github|<USER_ID>" nickname=nil>

in the info hash. Is there a quick fix/known behavior for this issue?

Prerequisites

I checked around and saw no issues/fixes/PRs to match

Environment

Please provide the following:

• OmniAuth-Auth0 version: 2.0.0
• Ruby version: 2.3.1
• Rails version: 5.0.2
• Browser version, if applicable:
• Additional gems that might be affecting your instance:
  aasm
  activerecord-import
  activerecord-postgis-adapter
  angular_rails_csrf
  aws-sdk (>= 2.0.34)
  better_errors
  bootstrap (> 4.0.0.alpha6)
  bower-rails (> 0.11.0)
  byebug (> 10.0.0)
  capybara
  coffee-rails (> 4.2)
  config
  database_cleaner
  debase (> 0.2.1)
  devise (= 4.3.0)
  factory_girl_rails
  faker
  freyr_client!
  gis_tools!
  haml-rails
  image_tools!
  jbuilder (> 2.5)
  jquery-rails
  listen (> 3.0.5)
  newrelic_rpm (>= 3.6)
  ngannotate-rails
  omniauth (> 1.6.1)
  omniauth-auth0 (> 2.0.0)
  paperclip!
  parallelize
  passenger (>= 5.0.25)
  pg
  pundit
  rails (> 5.0.1)
  rails-controller-testing
  rails_admin
  rails_admin_pundit!
  rbtrace
  redis
  redis-lock
  redis-namespace
  redis-objects
  redis-rails
  redis-store
  restangular-rails!
  rgeo (>= 0.5.2)
  rgeo-geojson
  rmagick
  rspec-rails
  ruby-debug-ide (> 0.6.0)
  ruby-opencv (= 0.0.17)
  sass-rails (> 5.0)
  sidekiq (= 4.0)
  sidekiq-failures
  sidekiq-scheduler
  sidekiq-unique-jobs
  simplecov
  sinatra (= 2.0.0.beta2)
  slim (= 2.0.1)
  spring
  spring-watcher-listen (> 2.0.0)
  sqlite3
  turbolinks (> 5)
  typhoeus
  tzinfo-data
  uglifier (>= 1.3.0)
  web-console (>= 3.3.0)

Reproduction

I never get details on login, only the uid of the user. Every attempted login on any provider is a reproduction of this issue. I do not have an isolated test case.

It seems to do the same thing for any provider. ( EX: google-oauth2|USER_ID is all that comes in for the google provider )

Logs

Logs indicate a successful auth, but themselves have some empty fields.

{
  "date": "2018-12-18T18:46:29.380Z",
  "type": "seacft",
  "description": "",
  "connection_id": "",
  "client_id": "4Ac7g6azJYRJd7FyEjLWk0cnNVaFGNFX",
  "client_name": "client-portal",
  "ip": "REDACTED",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "hostname": "REDACTED",
  "user_id": "",
  "user_name": "",
  "log_id": "90020181218184629380777407631495898728224680782653942003",
  "isMobile": false
}

Settings

In my devise config:

  config.omniauth :auth0, ENV['AUTH0_CLIENT_ID'],
    ENV['AUTH0_CLIENT_SECRET'],
    ENV['AUTH0_HOST'],
    {
      authorize_params: {
        scope: 'openid read:users',
        audience: '<audience URL>'
      },
      provider_ignores_state: true,
      callback_path: '/authenticate'
    }

I'm examining the incoming auth inside my self.from_omniauth(auth) implementation.

Thanks for looking,
-abbey

[joshcanhelp]

@khrome-cape - Sorry for the trouble here. We have not tested with Devise at all so can't guarantee that this configuration will work. That said, we're happy to make any changes needed to make that possible.

In the meantime ... your logs look fine, that's what they look like on my end with a successful authentication. You configuration generally looks fine, I don't think either of the additional options there would have an effect on the auth data that's being compiled.

There is a newer version of this gem that you could try. That updates an underlying omniauth-oauth2 dependency which might make a difference.

Have you tried examining what you have in session once you've been authenticated? In my test app, I use session[:userinfo], which gives me the data structure outlined here. I wonder if Devise is just putting it somewhere else?

Lastly, can you test authentication with just OmniAuth by itself, outside of Devise? That would narrow the troubleshooting scope a bit.

[khrome-cape]

Hey there thanks for the reply I've been away for the holidays and a cross country move. I picked it back up with fresh eyes this week but have not been having much progress. You are right about Devise putting them somewhere else (in my case request.env['omniauth.auth'], but that's where I originally got the nil values from, not where populated values are sitting). I'll report back after further tracing.

[khrome-cape]

So I was able to get much closer to a working solution (a mixture of timing, scope changes and payload placement), but am still not receiving the email field (using the same scope & application credentials I do get this in node.js/passport ). Any ideas as to what could be going wrong?

[joshcanhelp]

Glad to hear!

In authorize_params.scope you'll need to include email in there as well. The scope is the scope, it does not make a difference what language/platform you're using to request it.

Also ... read:users is not necessary there, that's not an OIDC scope.

[khrome-cape]

Awesome!

Not a dealbreaker, but it's curious I'm getting email without explicitly requesting it in node.js/passport. read:users came from one of the "use at your own risk" Devise + Omniauth + Auth0 solutions floating around on the web.

The long and short is the 3 libraries do work together, but configuration/setup is tricky. I'll be producing documentation internally for this purpose... at some point I'll try to reformat that as a short setup tutorial. Thanks!

[joshcanhelp]

it's curious I'm getting email without explicitly requesting it in node.js/passport

One of the tenants of OpenID is you don't get back any profile data that you didn't explicitly ask for. It might be added later on in the process somewhere? Or maybe you asked for profile and the email address comes back as the name? The profile scope sends back this:

{
    "sub": "auth0|1234567890",
    "nickname": "josh.cunningham",
    "name": "josh.cunningham@auth0.com",
    "picture": "https://s.gravatar.com/avatar/ae098a33ae2acd0fd647f48749f8630c?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fjo.png",
    "updated_at": "2019-01-16T18:32:43.760Z"
}

You can see the email address in there but it's for the name attribute.

If you're able to provide the configuration information for using this library with Devise, we'd greatly appreciate it! It's a question that comes up now and again so it would be nice to have some documentation on it. Happy to test it on my end as well.

[SethHorsley]

I am having the same response as you @joshcanhelp @khrome-cape could is this normal?