Onmiauth.auth not exists when using impersonation from dashboard

leakira · December 14, 2018, 11:31am

Hi, I’m starting to work with Auth0, and I`m trying now to implement impersonation (Sign in as user).

The authentication part is done, but when retuns to callback action, onmiauth.auth is nil.
My doubt is: this behavior is correct and I need to search user info using API or I’m forgetting something?

Language: Ruby on Rails
Gem: onmiauth, onmiauth-auth0
Application type: Regular web application

Thanks in advance.

nicolas_sabena · December 15, 2018, 8:06pm

The omniauth-oauth2 gem that omniauth-auth0 is based on checks the validity of the state parameter on the authentication response to prevent against CSRF login attacks. The impersonation flow generates an authentication response that, in the eyes of the application, was never requested. Since the impersonation doesn’t have a state, the response is rejected.(you should be getting a CallbackError with CSRF detected generated here).

The omniauth-oauth2 strategy provides support for the :provider_ignores_state => true option to disable the CSRF check. I’m not familiar with Ruby to confirm this, but you might be able to add this option when constructing the omniauth-auth0 strategy.

provider 
  :auth0,
  ENV['AUTH0_CLIENT_ID'],
  ENV['AUTH0_CLIENT_SECRET'],
  ENV['AUTH0_DOMAIN'],
  {
    provider_ignores_state: true
  }

WARNING: even if this works, it doesn’t mean you should do it. By putting this option you are explicitly removing a CSRF Login attack safeguard. So, the recommendation is to forget about impersonation and leave this option off.

You can find more info about CSRF protection and impersonation at https://auth0.com/docs/users/guides/impersonate-users-using-the-dashboard#login-csrf-attacks-mitigation-and-impersonation

leakira · December 17, 2018, 9:40am

Hi

Thanks for response, but I already have set “provider_ignores_state” when got CSRF error during first tries with impersonation.
Do you know if the user data returns in oauth controller, or I need to search from API?

My current strategy is:

provider(
      :auth0,
      ENV['AUTH0_CLIENT_ID'],
      ENV['AUTH0_CLIENT_SECRET'],
      ENV['AUTH0_DOMAIN'],
      authorize_params: {
        scope: 'openid profile',
      },
      provider_ignores_state: true,
    )

Thanks

konrad.sopala · August 28, 2019, 2:47pm

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?