StateParameters (Ruby on Rails application) omniauth auth0

csuntay · August 10, 2023, 12:16pm

I’m following this article and I don’t know how to add the start paramater to the request in the example: tenant.auth0.com/authorize?...&state=xyzABC123

I’m following the quickstart guide after I create an RWA, add the routes, auth0controller and for the erb or front view this button
<%= button_to “Have an account? Login”,
“/auth/auth0”,
method: :post,
class: ‘link–primary-auth0’%>
<% end %>

DO I create a new method
def authorize
create the random hex for the state to pass to auth0 callback?

end
Routes: get ‘/auth/authorize’ => ‘auth0#authorize’

csuntay · August 10, 2023, 1:53pm

Front end

<%= button_to “Have an account? Login”,
“/auth/auth0”,
method: :post,
class: ‘link–primary-auth0’%>
<% end %>

Controller

 def callback
    auth_info = request.env['omniauth.auth']
    session[:userinfo] = auth_info.dig('extra', 'raw_info')

    email = session.dig(:userinfo, :email)
    user = User.find_by(email: email)

    sign_in(user) if user.present?

    redirect_to '/'
  end

Routes

  get '/auth/auth0/callback' => 'auth0#callback'
  get '/auth/failure' => 'auth0#failure'
  get '/auth/logout' => 'auth0#logout'

csuntay · August 10, 2023, 2:29pm

I saw this thread: Adding an extra param to auth0 call

but how will i add the state parameter here:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider(
    :auth0,
    ENV["AUTH0_EXTERNAL_RWA_CLIENT_ID"],
    ENV["AUTH0_EXTERNAL_RWA_CLIENT_SECRET"],
    ENV["AUTH0_EXTERNAL_DOMAIN"],
    callback_path: '/auth/auth0/callback',
    authorize_params: {
      scope: 'openid profile email',
      connection: ENV["AUTH0_EXTERNAL_DATABASE_CONNECTION"],
      state: ???????
    }
  )
end

dan.woda · August 11, 2023, 2:31pm

Hi @csuntay,

Welcome to the Auth0 Community!

You don’t need to manually add the state param to the request, it’s added by default.

I’m not an expert with ruby, but it looks like it’s implemented here:

github.com

omniauth/omniauth-oauth2/blob/3e7ee11c84153e6f0c19d38a5e63cda550f6925c/lib/omniauth/strategies/oauth2.rb#L63


      
            hash["expires_at"] = access_token.expires_at if access_token.expires?
            hash["expires"] = access_token.expires?
            hash
          end
          
          def request_phase
            redirect client.auth_code.authorize_url({:redirect_uri => callback_url}.merge(authorize_params))
          end
          
          def authorize_params # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
            options.authorize_params[:state] = SecureRandom.hex(24)
          
            if OmniAuth.config.test_mode
              @env ||= {}
              @env["rack.session"] ||= {}
            end
          
            params = options.authorize_params
                            .merge(options_for("authorize"))
                            .merge(pkce_authorize_params)

csuntay · August 11, 2023, 2:36pm

Hi Dan,

But I’m confused on how do i implement this? Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters

I just want to redirect back to the last link before the authorization not the redirect_to ‘/’ in the controller

def callback
    auth_info = request.env['omniauth.auth']
    session[:userinfo] = auth_info.dig('extra', 'raw_info')

    email = session.dig(:userinfo, :email)
    user = User.find_by(email: email)

    sign_in(user) if user.present?

    redirect_to '/'
  end

I tried redirect_to request.original_fullpath but i’m getting nothing

dan.woda · August 11, 2023, 2:48pm

Does passing the state in the authorize_params object not work? Is it being overwritten?

dan.woda · August 25, 2023, 1:07pm

A post was split to a new topic: Custom state param in omniauth auth0

system · September 27, 2023, 2:12pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.