Authentication failure! csrf_detected

Please include the following information in your post:

  • Which SDK this is regarding: e.g. omniauth-auth0 ruby gem
  • SDK Version: latest version 2.5.0
  • Platform Version: e.g. Ruby 2.5.8, rails version ‘5.0.7.2’
  • Code Snippets/Error Messages/Supporting Details/Screenshots:

ERROR – omniauth: (auth0) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

I am using the ruby on rails guide located on the auth0 website and the omniauth auth0 gem page.

Everytime the authentication callsback to my application, I get the following error:

ERROR – omniauth: (auth0) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

At this point I’m not really sure what to try. It works fine locally but the issue occurs when I deploy my application to a deployed environment.

INFO -- : Completed 406 Not Acceptable in 11ms|
|---|---|
 INFO -- : Processing by Auth0Controller#failure as HTML|
   INFO -- : Parameters: {"message"=>"csrf_detected", "strategy"=>"auth0"}|
INFO -- : Started GET "/auth/failure?message=csrf_detected&strategy=auth0" 
ERROR -- omniauth: (auth0) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected|
INFO -- omniauth: (auth0) Callback phase initiated.|
INFO -- : Started GET "/auth/auth0/callback?code=Ea4jPvhH7aeRzCtF&state=005abdb28c023f519cc41268b657e8e32f3a3dda9031499f" 
"GET /auth/auth0/callback?code=Ea4jPvhH7aeRzCtF&state=005abdb28c023f519cc41268b657e8e32f3a3dda9031499f HTTP/1.1" 302 0 9 "https://login.microsoftonline.com/" 
  INFO -- omniauth: (auth0) Request phase initiated.|
  INFO -- : Started POST "/auth/auth0" for 10.176.126.32 at 2021-01-27 23:28:54 +0000|

At this point I am not sure what even to try. Has anyone any ideas what this could be and how it could be resolved? Let me know if i can provide any further information.

I was getting a cookie overflow so I changed the session store in the initializer as per the guide:

Rails.application.config.session_store :cache_store, key: '_myapp_session'

If I remove this I get a cookie overflow error.

I want to reply here with some suggestions, as I tried a lot of things.

It could be that I had set up an https and http callback url in the auth0 dashboard to the SAME url (the only difference being http/https). So perhaps it was hitting my app twice. Not sure.

Also, in my auth0 initializer, I used: provider_ignores_state: true which I found on the omniauth github as a solution. It seems this isn’t good practice however so I’m not sure about this solution but it seems to fix the csrf issue (or at least mask it).

The rails auth0 guides suggest changing the session type to :cache_store, but this did not work for me as the session would be lost between controllers and I would lose the user_id.
I changed it back to cookie store and I am only now storing the user_id in the session rather than the whole of the returned userinfo. This reduces the cookie size and prevents the overflow error I was getting.
Perhaps there are additional steps when using cache_store? Do you have to set up a cache? Should there be additional instructions there?