Apple Sign In with Rails and Kamal raises ActionController::InvalidAuthenticityToken error

[joaomarceloods]

Context: Apple sign-in with omniauth-apple worked fine until a week ago when the company moved the app to Kamal. We started getting this error:

ActionController::InvalidAuthenticityToken (HTTP Origin header (https://appleid.apple.com/) didn’t match request.base_url (https://www.myapp.com/))

I found a suggestion to forward the X-Forwarded-Proto and X-Forwarded-Ssl headers. The X-Forwarded-Proto is configurable in Kamal but it didn't fix the issue. X-Forwarded-Ssl doesn't seem to be configurable.

I also found a suggestion to set the Origin header to your own domain, but I don't think that's configurable with Kamal.

Is there another way to configure these headers? Any help fixing this issue is appreciated too.

[3v0k4]

It looks like Apple performs a POST to the redirect uri instead of the usual OAuth flow. I assume that the error you see happens at that stage since the POST triggers the CSRF check.

There are some interesting links in this issue with all sorts of solutions (watch out for the insecure hacks!).

I'd speculate that in the process of moving to Kamal, some other workarounds that your company had in place were removed.

Issue in omniauth-apple: https://github.com/nhosoya/omniauth-apple/issues/114