Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error "csrf_detected: Invalid 'state' parameter" happens due to session changing unexpectedly #196

Open
MarcoCouto opened this issue Nov 28, 2024 · 4 comments

Comments

@MarcoCouto
Copy link

Hi, I'm using this gem to support sign-in with Microsoft365. For compatibility reasons, I have to use version 0.6.1 and with Devise.

Using the discovery option doesn't work.
Here's the configuration:

config.omniauth :openid_connect, {
    name: :microsoft_office365,
    scope: [:openid, :email, :profile],
    issuer: "https://login.microsoftonline.com/common/v2.0", 
    response_type: :id_token,
    response_mode: :form_post,
    uid_field: "preferred_username",
    discovery: true,
    client_options: {
      port: 443,
      scheme: "https",
      host: "login.microsoftonline.com",
      identifier: ENV['MICROSOFT_CLIENT_ID'],
      secret: ENV['MICROSOFT_CLIENT_SECRET'],
      redirect_uri: "#{ENV['APP_DOMAIN']}/omniauth/microsoft_office365/callback"
    },
  }

I get an "Issuer mismatch" error, although the link https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration does retrieve a valid configuration.

So, I tried without discovery: true, and here's the configuration I used:

config.omniauth :openid_connect, {
    name: :microsoft_office365,
    scope: [:openid, :email, :profile],
    issuer: "https://login.microsoftonline.com/common/v2.0",
    response_type: :id_token,
    response_mode: :form_post,
    uid_field: "preferred_username",
    client_options: {
      port: 443,
      scheme: "https",
      host: "login.microsoftonline.com",
      identifier: ENV['MICROSOFT_CLIENT_ID'],
      secret: ENV['MICROSOFT_CLIENT_SECRET'],
      authorization_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
      token_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
      userinfo_endpoint: 'https://graph.microsoft.com/oidc/userinfo',
      jwks_uri: 'https://login.microsoftonline.com/common/discovery/v2.0/keys',
      end_session_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/logout',
      redirect_uri: "#{ENV['APP_DOMAIN']}/omniauth/microsoft_office365/callback"
    },
  }

Now, the error type is :csrf_detected, and the :reason is "Invalid 'state' parameter".
After looking at the gem's code and doing a few tests, I realized that the session changes between requests, i.e., between the authorization request (https://login.microsoftonline.com/common/oauth2/v2.0/authorize) and the callback request (redirect_uri: "#{ENV['APP_DOMAIN']}/omniauth/microsoft_office365/callback"). I printed the session id and it is indeed different. Hence, the stored_state and the nonce values, which are stored between requests in the session, will always be nil.

Why does this happen? Is anyone else facing this issue? What can I be doing wrong?

Thanks in advance!

@ksouthworth
Copy link

I am also having this issue and getting the csrf_detected | Invalid 'state' parameter error, when using a very similar configuration as OP but with PingIdentity

@ksouthworth
Copy link

FYI in case it helps anyone else, the following combination worked for me to resolve this problem, at least with the PingIdentity IdP I was testing against:

gem "omniauth-rails_csrf_protection"

skip_forgery_protection at the top of my OmniauthCallbacksController

Omniauth config values of:

      response_type: :id_token,
      response_mode: :form_post,
      send_state: false,
      send_nonce: false

@difernandez
Copy link

send_state: false would avoid the issue as the state param wouldn't be included and verified, but wouldn't that leave it vulnerable to CSRF?

@ksouthworth
Copy link

@difernandez yes you are correct, but at the moment I don't have an alternative remedy, it's not ideal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants