Rails 4 + omniauth facebook - csrf detected

Question

I am working on my RoR4 app to enable users to login via existing facebook account. I registered a facebook app (a live and tested version) and stored its api and secret in development.rb. I used omniauth-facebook and devise gems and encountered an "Csrf detected" problem.

My application's code is highy inspired from this blogpost: http://sourcey.com/rails-4-omniauth-using-devise-with-twitter-facebook-and-linkedin/

I did see a solution from a stackoverflow post dated 2 years ago (Rails + omniauth + facebook - csrf detected) - but latest omniauth-facebook version is much greater than the one posted. Either way, I tried to roll back to omniauth-facebook gem to version 1.4.1 and I still encountered this problem.

Gems

oauth2 (1.0.0)
omniauth (1.2.2)
omniauth-facebook (2.0.1)
omniauth-oauth2 (1.3.1)

Ideas?

Errors log

(facebook) Callback phase initiated.
(facebook) Callback phase initiated.
(facebook) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

Sibin Xavier · Accepted Answer · 2015-12-04T05:31:31.143

3

I have similar issue with device and omniauth-facebook, but it was my mistake.

Previously I have added facebook app id and secrets in both device.rb and omniauth.rb initializer (Both are initializers in config/initializers folder ). I removed these facebook configurations from omniauth.rb and restarted server, and It works.

Please check your device.rb and and other omniauth related initializers.

May be it work..

edited Dec 04 '15 at 05:31

answered Nov 13 '15 at 10:23

Sibin Xavier

196
7

you mean `devise.rb` ? – 0x4a6f4672 Oct 13 '16 at 14:06
I had the same issue. I had put my app id and secret in both the devise initializer and a omniauth initializer. Removing the duplicate credentials in devise.rb fixed the issue. – magagnon Dec 18 '17 at 00:16

Rails 4 + omniauth facebook - csrf detected

1 Answers1