StateParameters (Ruby on Rails application) omniauth auth0

Help
,
1

I’m following this article and I don’t know how to add the start paramater to the request in the example: tenant.auth0.com/authorize?...&state=xyzABC123

I’m following the quickstart guide after I create an RWA, add the routes, auth0controller and for the erb or front view this button
<%= button_to “Have an account? Login”,
“/auth/auth0”,
method: :post,
class: ‘link–primary-auth0’%>
<% end %>

DO I create a new method
def authorize
create the random hex for the state to pass to auth0 callback?

end
Routes: get ‘/auth/authorize’ => ‘auth0#authorize’

2

Front end

<%= button_to “Have an account? Login”,
“/auth/auth0”,
method: :post,
class: ‘link–primary-auth0’%>
<% end %>

Controller

 def callback
    auth_info = request.env['omniauth.auth']
    session[:userinfo] = auth_info.dig('extra', 'raw_info')

    email = session.dig(:userinfo, :email)
    user = User.find_by(email: email)

    sign_in(user) if user.present?

    redirect_to '/'
  end

Routes

  get '/auth/auth0/callback' => 'auth0#callback'
  get '/auth/failure' => 'auth0#failure'
  get '/auth/logout' => 'auth0#logout'
3

I saw this thread: Adding an extra param to auth0 call

but how will i add the state parameter here:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider(
    :auth0,
    ENV["AUTH0_EXTERNAL_RWA_CLIENT_ID"],
    ENV["AUTH0_EXTERNAL_RWA_CLIENT_SECRET"],
    ENV["AUTH0_EXTERNAL_DOMAIN"],
    callback_path: '/auth/auth0/callback',
    authorize_params: {
      scope: 'openid profile email',
      connection: ENV["AUTH0_EXTERNAL_DATABASE_CONNECTION"],
      state: ???????
    }
  )
end
4

Hi @csuntay,

Welcome to the Auth0 Community!

You don’t need to manually add the state param to the request, it’s added by default.

I’m not an expert with ruby, but it looks like it’s implemented here:

5

Hi Dan,

But I’m confused on how do i implement this? Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters

I just want to redirect back to the last link before the authorization not the redirect_to ‘/’ in the controller

def callback
    auth_info = request.env['omniauth.auth']
    session[:userinfo] = auth_info.dig('extra', 'raw_info')

    email = session.dig(:userinfo, :email)
    user = User.find_by(email: email)

    sign_in(user) if user.present?

    redirect_to '/'
  end

I tried redirect_to request.original_fullpath but i’m getting nothing

6

Does passing the state in the authorize_params object not work? Is it being overwritten?

7

A post was split to a new topic: Custom state param in omniauth auth0

9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.