When following the rails quickstart guide, my application threw a CSRF detected error. (
csrf_detected | CSRF detected)
This issue on the auth0-omniauth gem indicates that other people are having similar problems.
Digging into the stack trace, I discovered that the error is occurring on this line in the omniauth-oauth2 gem, specifically, because
session.delete("omniauth.state")) is evaluating to nil.
looking into the session, it appears that it is only storing the session id, and no other data, much less the omniauth state.
This parameter should be set in
SessionHelper#get_state as outlined in the rails quickstart guide. (
session'omniauth.state'] = state)
Why isn’t this information being stored? Is there a workaround for this other than setting
provider_ignores_state: true in the auth0 initializer?
I attempted to implement this solution using the auth0.js library instead of the lock.js library, but was unsuccessful.