How do I fix the Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected ?

Question

How do I fix the Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected ?

bigos opened this issue 3 years ago · 4 comments

I am using Rails 6.1.3.1
and the advice from 5 years ago no longer works.

I am trying to create my own strategy and respond to a callback from a server that is built on https://github.com/doorkeeper-gem/doorkeeper

This is the backtrace that makes no sense to me.
Started GET "/auth/authoritarian/callback?code=a5d7416bd2e0d2c2dc97cd6220ff6829da2aa846337d400a53ff309d7ef5d76d&state=" for 10.16.90.26 at 2021-09-03 17:58:31 +0100
Cannot render console from 10.16.90.26! Allowed networks: 127.0.0.0/127.255.255.255, ::1
D, [2021-09-03T17:58:33.734478 #27232] DEBUG -- omniauth: (authoritarian) Callback phase initiated.
E, [2021-09-03T17:58:33.763931 #27232] ERROR -- omniauth: (authoritarian) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
E, [2021-09-03T17:58:33.764709 #27232] ERROR -- omniauth: (authoritarian) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
E, [2021-09-03T17:58:33.765428 #27232] ERROR -- omniauth: (authoritarian) Authentication failure! csrf_detected | CSRF detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

OmniAuth::Strategies::OAuth2::CallbackError (csrf_detected | CSRF detected):

omniauth (2.0.4) lib/omniauth/failure_endpoint.rb:25:in raise_out!' omniauth (2.0.4) lib/omniauth/failure_endpoint.rb:20:in call'
omniauth (2.0.4) lib/omniauth/failure_endpoint.rb:12:in call' omniauth (2.0.4) lib/omniauth/strategy.rb:544:in fail!'
omniauth-oauth2 (1.7.1) lib/omniauth/strategies/oauth2.rb:89:in callback_phase' omniauth (2.0.4) lib/omniauth/strategy.rb:272:in callback_call'
omniauth (2.0.4) lib/omniauth/strategy.rb:194:in call!' omniauth (2.0.4) lib/omniauth/strategy.rb:169:in call'
omniauth (2.0.4) lib/omniauth/builder.rb:45:in call' rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in call'
rack (2.2.3) lib/rack/etag.rb:27:in call' rack (2.2.3) lib/rack/conditional_get.rb:27:in call'
rack (2.2.3) lib/rack/head.rb:12:in call' actionpack (6.1.3.1) lib/action_dispatch/http/permissions_policy.rb:22:in call'
actionpack (6.1.3.1) lib/action_dispatch/http/content_security_policy.rb:18:in call' rack (2.2.3) lib/rack/session/abstract/id.rb:266:in context'
rack (2.2.3) lib/rack/session/abstract/id.rb:260:in call' actionpack (6.1.3.1) lib/action_dispatch/middleware/cookies.rb:689:in call'
activerecord (6.1.3.1) lib/active_record/migration.rb:601:in call' actionpack (6.1.3.1) lib/action_dispatch/middleware/callbacks.rb:27:in block in call'

Answer 1 · 2021-09-03T17:25:59.000Z

    elsif !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))

is it possible that the logic here is wrong? How do I ignore state?

Answer 2 · 2021-09-03T17:53:09.000Z

@bigos have you followed the upgrade guides for omniauth 2?

Answer 3 · 2021-09-03T17:55:22.000Z

I need a break. I will check later.

Answer 4 · 2021-09-03T20:30:35.000Z

After looking at your suggestion I believe I have to fix the request on the doorkeeper side to make it work. but that has to wait until Monday.