When following the rails quickstart guide, my application threw a CSRF detected error. ( OmniAuth::Strategies::OAuth2::CallbackError
csrf_detected | CSRF detected
)
This issue on the auth0-omniauth gem indicates that other people are having similar problems.
Digging into the stack trace, I discovered that the error is occurring on this line in the omniauth-oauth2 gem, specifically, because session.delete("omniauth.state"))
is evaluating to nil.
looking into the session, it appears that it is only storing the session id, and no other data, much less the omniauth state.
This parameter should be set in SessionHelper#get_state
as outlined in the rails quickstart guide. ( session'omniauth.state'] = state
)
Why isn’t this information being stored? Is there a workaround for this other than setting provider_ignores_state: true
in the auth0 initializer?
I attempted to implement this solution using the auth0.js library instead of the lock.js library, but was unsuccessful.
I’m using omniauth-auth0 (2.0.0)
, omniauth-oauth2 (1.4.0)
, omniauth (1.6.1)
and auth0.min.js (8.8.0)