Auth0 Home Blog Docs

Rails quickstart results in CSRF detected error from omniauth



When following the rails quickstart guide, my application threw a CSRF detected error. ( OmniAuth::Strategies::OAuth2::CallbackError csrf_detected | CSRF detected)

This issue on the auth0-omniauth gem indicates that other people are having similar problems.

Digging into the stack trace, I discovered that the error is occurring on this line in the omniauth-oauth2 gem, specifically, because session.delete("omniauth.state")) is evaluating to nil.
looking into the session, it appears that it is only storing the session id, and no other data, much less the omniauth state.
This parameter should be set in SessionHelper#get_state as outlined in the rails quickstart guide. ( session'omniauth.state'] = state)

Why isn’t this information being stored? Is there a workaround for this other than setting provider_ignores_state: true in the auth0 initializer?

I attempted to implement this solution using the auth0.js library instead of the lock.js library, but was unsuccessful.

I’m using omniauth-auth0 (2.0.0), omniauth-oauth2 (1.4.0), omniauth (1.6.1)
and auth0.min.js (8.8.0)


Answered my own question: the session information was not being stored properly in the Cache, as I had set Rails.application.config.session_store :cache_store to avoid the ActionDispatch::Cookies::CookieOverflow error, but did not have my cache configured correctly. leaving this here in case other people have the same problem.


HI, i am having the same issues and I am a newbie so i am not quite sure how you fixed it. Can you share the code you used in config.session_store to fit it?

thank you