request.env['omniauth.params'] does not work with post
cpinto opened this issue · 1 comments
cpinto commented
Thank you so much for creating this lib to mitigate OmniAuth's CVE.
After applying it I noticed our app stopped receiving a couple of parameters in the callback. It appears that in the default OmniAuth::Strategy
, the request_call
method sets the session['omniauth.params']
from request.GET
.
Are you able to confirm that this is a side-effect of the mitigation strategy? If so, would you be able to recommend a workaround?
Thank you again.
cpinto commented
Sorry for this, on further inspection the issue is on our end.