22

I'm getting this

OmniAuth::Strategies::OAuth2::CallbackError at /auth/google/callback csrf_detected | CSRF detected

My code:

require 'sinatra'
require "sinatra/json"
require "sinatra/config_file"
require 'omniauth-oauth2'
require 'omniauth-google-oauth2'

use Rack::Logger

config_file "config/app_config.yml"
use Rack::Session::Cookie, secret: '5fb7w345y3489f523y4h'

configure do
  enable :sessions
end

use OmniAuth::Builder do
  provider :google_oauth2, settings.google[:client_id], settings.google[:secret],
    {
      :scope => "userinfo.profile",
      :access_type => "offline",
      :prompt => "select_account consent",
      :name => "google"
    }
end

get '/list' do
  json get_list
end

get '/' do
  %Q|<a href='/auth/google'>Sign in with Google</a>|
end

get '/auth/:name/callback' do
  @auth = request.env['omniauth.auth']
  @auth.inspect
end

My callback is returning both code and state.

Sven R.
  • 1,049
  • 17
  • 24
Joseph Le Brech
  • 6,541
  • 11
  • 49
  • 84

4 Answers4

11

This problem occurs with rails when the domain defined in /config/initializer/session_store.rb is different from the origin/redirect_uri defined in the google api console.

MyApp::Application.config.session_store :cookie_store, key: '_app_session', domain: 'my_app.com'

Removing the domain params or using the same domain on both sides fixed the problem.

Vincent Pochet
  • 111
  • 1
  • 5
  • 1
    Also check that cookies are enabled in the browser, that fixed my CSRF detected error, my /config/initializer/session_store.rb `Rails.application.config.session_store :cookie_store, key: '_XXX-XXXXX_session'` – Conor Apr 04 '15 at 11:47
11

If you are using Devise with OmniAuth you need to skip the extra omniauth.rb initializer file and simply add config.provider "KEY", "SECRET" inside your initializers/devise.rb and then carry on with your implementation.

rahul patil
  • 657
  • 6
  • 12
  • 1
    This solved the problem for me, not the other stuff -- I already had domain: :all in the session store config. – David Haley Oct 06 '14 at 08:12
  • Fixed for us as well...the reason why this fixes it is because if you have the code in both locations, it fires this code from the omniauth gem twice, and the second time, omniauth.state is nil because it was deleted in the first iteration. elsif !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state")) fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected")) – parameter Oct 21 '16 at 22:03
10

Got the same problem

(google_oauth2) Callback phase initiated.
(google_oauth2) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

Last Omniauth-oauth2 update introduced the "state" param has a mandatory field.

Some people suggest using provider_ignores_state: true but it's a bad idea because it introduces csrf flaw

Guess we'll have to downgrade to previous version to keep google_oauth2 working.

Issue it on https://github.com/intridea/omniauth-oauth2/issues/58

Sven R.
  • 1,049
  • 17
  • 24
gdurelle
  • 2,079
  • 22
  • 38
  • 1
    A website did this to me. Is there a workaround for me as an user? – Tomáš Zato Feb 14 '15 at 05:28
  • 1
    So what's the verison that makes this work? Also set "provider_ignores_state: true" where? – Dave Sep 08 '16 at 21:12
  • As suggested by their GitHub repo `provider_ignores_state` is only for AJAX flows. https://github.com/zquestz/omniauth-google-oauth2/blob/247eba0b53381a1193edb528e42648885cbc18bf/examples/config.ru#L114-L119 – Kartikey Tanna Apr 28 '18 at 04:52
0

Are you hitting back and reattempting to log in? I was getting this issue and it was really confusing me, but it was because I was going back to retry. If I typed in the address again, I wouldn't get the issue

Thomas Marchant
  • 208
  • 4
  • 14