Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF detected error after using omniauth authorization on android device #1106

Open
Dev-And opened this issue Mar 7, 2018 · 6 comments
Open

CSRF detected error after using omniauth authorization on android device #1106

Dev-And opened this issue Mar 7, 2018 · 6 comments

Comments

@Dev-And
Copy link

Dev-And commented Mar 7, 2018
edited
Loading

I use devise_token_auth + omniauth authorization + gem google_oauth2. So it's work well in web app. But in mobile I have some problems with it. When the android app post the authorization code to /omniauth/google_oauth2/callback I always get the error:

INFO -- : [5fe94566-e098-4a4a-b274-ca24606beb27] Started POST "myapp/omniauth/google_oauth2/callback" for 91.102.176.32 at 2018-03-07 13:22:44 +0000
INFO -- omniauth: (google_oauth2) Callback phase initiated.
ERROR -- omniauth: (google_oauth2) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
INFO -- : [5fe94566-e098-4a4a-b274-ca24606beb27] Processing by Devise::OmniauthCallbacksController#failure as HTML
INFO -- : [5fe94566-e098-4a4a-b274-ca24606beb27] Parameters: {"code"=>"4/AACauqwi5alzAwsWvoSbNnsKSQ63HNDMhX0jXoGbcDCPyoVObPUekAyHLh1wcA4RkZjjsz_NWG2sFCHDGl9kchQ"}
INFO -- : [5fe94566-e098-4a4a-b274-ca24606beb27] Redirected to https://myapp/auth/sign_in
INFO -- : [5fe94566-e098-4a4a-b274-ca24606beb27] Completed 302 Found in 1ms (ActiveRecord: 0.0ms)
INFO -- : [a08dd2a1-5565-433d-b20d-959ac2a4a469] Started GET "/auth/sign_in" for 91.102.176.32 at 2018-03-07 13:22:44 +0000
INFO -- : [a08dd2a1-5565-433d-b20d-959ac2a4a469] Processing by DeviseTokenAuth::SessionsController#new as HTML
INFO -- : [a08dd2a1-5565-433d-b20d-959ac2a4a469] Completed 405 Method Not Allowed in 1ms (Views: 0.2ms | ActiveRecord: 0.0ms)
@zachfeldman
Copy link
Contributor

Have you tried disabling CSRF protection in the controller?

@Dev-And
Copy link
Author

Dev-And commented Mar 7, 2018
edited
Loading

As I understand omniauth use own csrf protection. So I use parametr "provider_ignore_state" in google_oauth2 gem and set it to true. Also there isn't "protect_from_forgery" in OmniauthCallback Controller.

@zachfeldman
Copy link
Contributor

Hmm I'm not sure, have you seen this issue?
#654

@Dev-And
Copy link
Author

Dev-And commented Mar 7, 2018

Yes, I have tried solutions from this issue but it's still not working.

@zachfeldman
Copy link
Contributor

Sorry to hear that. Wish I could help more

@Dev-And
Copy link
Author

Dev-And commented Mar 8, 2018

So as I understand omniauth in devise_token_auth works with the next flow:
client send request to the /auth/google_oauth2 ->
then rendered window with google account ->
at this moment omniauth get the authorization code and send it to/omniauth/google_oauth2/callback->
then user if exist is login or created
But it's about login from browser. Does it work the same with mobile apps or I need send some additional/different params to /omniauth/google_oauth2/callback?
So I work with mobile authorization at first and maybe don't understand some things.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zachfeldman @Dev-And