We have two live issues on our enterprise rails platform.
This is using omniauth-auth0 (3.0.0) and omniauth-rails_csrf_protection (1.0.0)
1.) When a new user clicks ‘login’ and enters their credentials, they are immediately redirected back to the login page with an error Warningaccess_denied | Unauthorised email address. How do we give users authorisation?
Note: there is no “Authorize this app” page after providing the credentials. As soon as the user puts in their email and password and clicks submit, they are redirected back to our website.
The server log message is:
Started GET "/backoffice/auth0/callback?error=access_denied&error_description=[FILTERED]&state=..."
E, [2022-02-21T10:56:49.694673 #59158] ERROR -- omniauth: (auth0) Authentication failure! access_denied: OmniAuth::Strategies::OAuth2::CallbackError, access_denied | Unauthorised email address: [EMAIL]
Processing by Backoffice::Auth0Controller#failure as HTML
Parameters: {"error"=>"access_denied", "error_description"=>"[FILTERED]", "state"=>"90f8c5cda16579cae904ac21661b24179311c27dc7c4d89c"}
Auth0 Error: access_denied | Unauthorised email address: [EMAIL] excluded from capture: DSN not set
Redirected to http://localhost:3000/backoffice
2.) After the user has logged in once (and failed), then subsequent attempts to log in don’t give the user the choice of which email to use, and instead instantly redirect back to the login page.
If it helps, here are the relevant pieces of code:
Rails.application.config.middleware.use OmniAuth::Builder do
provider(
:auth0,
ENV['AUTH0_CLIENT_ID'],
ENV['AUTH0_CLIENT_SECRET'],
ENV['AUTH0_DOMAIN'],
callback_path: '/backoffice/auth0/callback',
authorize_params: {
scope: 'openid profile'
}
)
end
OmniAuth.config.allowed_request_methods = [:post]
OmniAuth.config.on_failure = Backoffice::Auth0Controller.action(:failure)
module Backoffice
class Auth0Controller < Backoffice::ApplicationController
def index
redirect_to backoffice_dashboard_index_path if helpers.admin_signed_in?
end
def logout
audit!(action: :logout)
session.delete(:backoffice_userinfo)
redirect_to helpers.admin_logout_url
end
def callback
# OmniAuth places the User Profile information (retrieved by omniauth-auth0)
# in request.env['omniauth.auth'].
# Refer to https://github.com/auth0/omniauth-auth0#auth-hash for complete
# information on 'omniauth.auth' contents.
#
session[:backoffice_userinfo] = request.env['omniauth.auth']
redirect_to backoffice_dashboard_index_path
end
def local_auth
raise 'For development use only' unless helpers.auth0_bypass_in_local?
request.env['omniauth.auth'] = { info: { name: 'Test User' } }
callback
end
def failure
error = request.env['omniauth.error']
Raven.capture_exception(
RuntimeError.new("Auth0 Error: #{error.message}")
)
redirect_to backoffice_path, flash: { alert: error.message }
end
end
end