Latest omniauth-facebook gem breaks devise

Question

ruby '2.6.3' gem 'rails', '~> 6.0.2', '>= 6.0.2.1'

I'm using the latest omniauth-facebook and devise together Gemfile: gem 'devise' gem 'omniauth-facebook'

Getting this error when starting the server:

/versions/2.6.3/lib/ruby/gems/2.6.0/gems/devise-4.7.3/lib/devise/omniauth.rb:12:in `': You are using an old OmniAuth version, please ensure you have 1.0.0.pr2 version or later installed. (RuntimeError)

The problem is that if I try to use older omniauth-facebook versions the server works but then the Facebook authentication stops working properly (e.g. fails including emails despite

scope: 'email', info_fields: 'email,name'

in devise.rb. )

I have tried many different version combinations of omniauth-facebook and devise. Either Facebook-authentication stops working properly or the server fails (see above).

This is a known issue with devise and there is a PR https://github.com/heartcombo/devise/pull/5327 — dbugger, Jan 13 '21 at 14:03

user706001 · Accepted Answer · 2021-01-28T18:21:02.110

19

Using

gem 'devise', github: 'heartcombo/devise', branch: 'ca-omniauth-2'

In Gemfile will fix the problem, awaiting a merge.

Updated my answer based on Carlos answer below, I was in a rush when I posted this using ref.

Thank You, Carlos for maintaining Devise.

edited Jan 28 '21 at 18:21

answered Jan 15 '21 at 07:32

user706001

980
7
8

More information can be found here https://github.com/heartcombo/devise/pull/5327 – user706001 Jan 15 '21 at 07:33
1

Thanks a lot! That solves the problem of the server not starting. However, it is now running into that seemingly unsolvable "Not found. Authentication passthru." problem, which - for the same code - didn't happen with the older facebook-omniauth versions. (Already tried all existing stackoverflow suggestions for that.) In any case, thanks a lot for your help! – jco40 Jan 15 '21 at 13:06
@jco40 did you figure out, ""Not found. Authentication passthru." I have started getting the same. – user706001 Feb 23 '21 at 09:44
1

Change your links to user_google_oauth2_omniauth_authorize_path, method: :post and add the Gem https://github.com/cookpad/omniauth-rails_csrf_protection For more information visit:https://github.com/heartcombo/devise/issues/5236 – user706001 Feb 23 '21 at 10:10

score 11 · Answer 2 · answered Jan 20 '21 at 17:15

This is Carlos, Devise maintainer. Please keep an eye on that Pull Request linked above, I just shared how you can test it in your app there:

I'd recommend using the branch ref instead of the git ref directly:

gem 'devise', github: 'heartcombo/devise', branch: 'ca-omniauth-2'

With that you should be able to run bundle update devise omniauth which should hopefully give you OmniAuth 2 and this Devise branch. That should allow the app to boot up.

Lastly, if you've copied over the Devise shared links on your app, or if you have your own links to initiate the OmniAuth authentication flow, you need to make sure they're changed to use a form. (you can do that by using link_to with method: :post option for example, or using button_to, if that works for your app.) Please note that this is a requirement change in how OmniAuth work due to a security issue, read more.

If you run into any issues please comment back in GitHub, and we'll work to get them resolved soon so we can release a new Devise version that fully supports OmniAuth 2. Thanks.

Update as on Apr 17, 2021: It seems the above branch is now merged to master. So just `gem 'devise', github: 'heartcombo/devise'` works (get the gem from master). — paneer_tikka, Apr 17 '21 at 04:08

score 10 · Answer 3 · answered Apr 30 '21 at 22:57

10

Devise 4.8.0 (shipped yesterday) resolves this.

answered Apr 30 '21 at 22:57

Tom Fast

1,138
9
15

This one is the answer for now. Thank you. – Seto Jul 29 '21 at 08:46

score 2 · Answer 4 · edited Jan 27 '21 at 10:26

2

Please downgrade OmniAuth:

gem "omniauth", "~> 1.9.1"

That's worked for me.

edited Jan 27 '21 at 10:26

tripleee

175,061
34
275
318

answered Jan 27 '21 at 10:24

Almaty Almaty

29
1

3

I'm not sure if this advise is good. Omniauth < 2.0.0 has a vulnerability marked with criticality high. Bundler audit sais to upgrade to omniauth >= 2.0.0 https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 – Casaper Feb 04 '21 at 09:38

score 1 · Answer 5 · answered Jan 13 '21 at 19:13

1

I'm pretty sure the issue is related to this devise PR, https://github.com/heartcombo/devise/pull/5327

Devise currently has a version check that doesn't include OmaniAuth > 1.x.x

answered Jan 13 '21 at 19:13

xion

11
1

Thanks! Make sense. I guess we have to wait for the devise gem update then. In the meantime are you aware of any Omniauth-facebook version that hits the sweet spot i.e. new enough to include Facebook emails, old enough to work with devise? – jco40 Jan 14 '21 at 07:25

Latest omniauth-facebook gem breaks devise

5 Answers5

Linked