omniauth-oauth2 gem that
omniauth-auth0 is based on checks the validity of the
state parameter on the authentication response to prevent against CSRF login attacks. The impersonation flow generates an authentication response that, in the eyes of the application, was never requested. Since the impersonation doesn’t have a
state, the response is rejected.(you should be getting a
CSRF detected generated here).
omniauth-oauth2 strategy provides support for the
:provider_ignores_state => true option to disable the CSRF check. I’m not familiar with Ruby to confirm this, but you might be able to add this option when constructing the
WARNING: even if this works, it doesn’t mean you should do it. By putting this option you are explicitly removing a CSRF Login attack safeguard. So, the recommendation is to forget about impersonation and leave this option off.
You can find more info about CSRF protection and impersonation at https://auth0.com/docs/users/guides/impersonate-users-using-the-dashboard#login-csrf-attacks-mitigation-and-impersonation