Auth0 Home Blog Docs

Onmiauth.auth not exists when using impersonation from dashboard

impersonation
#1

Hi, I’m starting to work with Auth0, and I`m trying now to implement impersonation (Sign in as user).

The authentication part is done, but when retuns to callback action, onmiauth.auth is nil.
My doubt is: this behavior is correct and I need to search user info using API or I’m forgetting something?

Language: Ruby on Rails
Gem: onmiauth, onmiauth-auth0
Application type: Regular web application

Thanks in advance.

#2

The omniauth-oauth2 gem that omniauth-auth0 is based on checks the validity of the state parameter on the authentication response to prevent against CSRF login attacks. The impersonation flow generates an authentication response that, in the eyes of the application, was never requested. Since the impersonation doesn’t have a state, the response is rejected.(you should be getting a CallbackError with CSRF detected generated here).

The omniauth-oauth2 strategy provides support for the :provider_ignores_state => true option to disable the CSRF check. I’m not familiar with Ruby to confirm this, but you might be able to add this option when constructing the omniauth-auth0 strategy.

provider 
  :auth0,
  ENV['AUTH0_CLIENT_ID'],
  ENV['AUTH0_CLIENT_SECRET'],
  ENV['AUTH0_DOMAIN'],
  {
    provider_ignores_state: true
  }

WARNING: even if this works, it doesn’t mean you should do it. By putting this option you are explicitly removing a CSRF Login attack safeguard. So, the recommendation is to forget about impersonation and leave this option off.

You can find more info about CSRF protection and impersonation at https://auth0.com/docs/users/guides/impersonate-users-using-the-dashboard#login-csrf-attacks-mitigation-and-impersonation

#3

Hi

Thanks for response, but I already have set “provider_ignores_state” when got CSRF error during first tries with impersonation.
Do you know if the user data returns in oauth controller, or I need to search from API?

My current strategy is:

provider(
      :auth0,
      ENV['AUTH0_CLIENT_ID'],
      ENV['AUTH0_CLIENT_SECRET'],
      ENV['AUTH0_DOMAIN'],
      authorize_params: {
        scope: 'openid profile',
      },
      provider_ignores_state: true,
    )

Thanks