Update README.md

[liamkillion]

No description provided.

[liamkillion]

updated to clarify that the user must specify a later version of omniauth-oauth in their own gem file

[aguynamedben]

@liamkillion Can you elaborate on this version compatibility issue? Our omniauth-oauth2 dependency currently resolves to 1.6.0 and we're unsure if pinning omniauth-oauth2 to ~> 1.3 is going to break other OmniAuth strategies we use.

[liamkillion]

@aguynamedben a version update to omniauth-oauth2, at version 1.6.0, introduced a change that breaks this gem - hope that helps!

[pboling]

@liamkillion Do you know what that change was? We must get this gem fixed for multiple reasons.

It actually looks from the patches on other branches, like the omniauth-oauth2 release that broke this gem was version 1.4.0, not 1.6.0, also noting the need to lock to ~> 1.3.1.

1. Other gems have already set omniauth-oauth2 version to a minimum of 1.6, e.g. omniauth-google-oauth2. Sites with multiple authentication sources are now stuck between a rock and a hard place.
2. There is an open CVE security vulnerability, currently unpatched, in omniauth, and when it gets fixed we must be able to update to the patched version.

Name: omniauth
Version: 1.9.1
Advisory: CVE-2015-9284
Criticality: High
URL: https://github.com/omniauth/omniauth/pull/809
Title: CSRF vulnerability in OmniAuth's request phase
Solution: remove or disable this gem until a patch is available!

We can't have a web of fixed dependencies preventing the upgrade.

    omniauth-oauth2 (1.6.0)
      oauth2 (~> 1.1)
      omniauth (~> 1.9)

CC @grnhse Please pay attention!

[pboling]

90% of these patches are to lock the version dependency, and that is a terrible precedent to set.

[pboling]

Discovered the issue. Version 1.4.0 of omniauth-oauth2 only had one tiny change, removing the callback_url override, and it broke a ton of oauth integration gems. Those gems fixed the issue by redefining an explicit callback_url override in the same form as what had been removed.

      def callback_url
        full_host + script_name + callback_path
      end

PR coming soon.

[pboling]

PR with fix is here: #8, and this issue can be closed once merged.

[pboling]

@NickMeves @jcmuller @tfrey7 @dianaliu @mtoneil @bouffy @tdphillipsjr @acaloiaro @hugomarcotte @evan-duncan @Adam262 @kbruccoleri @jooshbzm @Ataraxic

This is not a good look for @grnhse (Greenhouse).
This needs to be addressed. It is a security issue.
Please also see #8

Please also note that this gem is dead as of now. It is incompatible with the current major version of omniauth, and is potentially a security risk. There are frequently CVEs filed against the omniauth family of gems (e.g. CVE-2015-9284, CVE-2020-26254, CVE-2020-15240), which in turn forces upgrades.

As this gem is incompatible with latest version it forces use of older, CVE-vulnerable, versions of the omniauth suite.

This is unacceptable. If you aren't going to maintain this gem, then please state as much in the readme, and archive the project. You are putting the community at risk.

Bundler could not find compatible versions for gem "omniauth":
  In Gemfile:
    omniauth (~> 2.0.0)

    omniauth-greenhouse was resolved to 1.3.1, which depends on
      omniauth (>= 1.3.1, < 2)

I tried to help, but it has been a year now, so I am removing our Greenhouse integration. I hope to see this situation improve.

FWIW, I am the primary maintainer of omniauth-identity, a sibling in this family. In that regard, one option may be to transfer the maintenance of this gem over to the Omniauth organization.

Lastly, DO NOT MERGE THIS PR. It tells people to use the CVE-vulnerable, unpatched, version of omniauth.

[pboling]

This PR should be closed.