Closed yob closed 6 years ago
This unfortunately breaks the csrf checks in Rails which uses the state parameter. See for example https://github.com/omniauth/omniauth-oauth2/issues/32. The workaround is to add {:provider_ignores_state => true}
to your omniauth configuration.
The current ORCID docs say:
We've tested this in our system (a rails app at theconversation.com) and confirmed that sign in via ORCID continues to work when
provider_ignores_state
is set tofalse
.oauth2 sign ins are reportedly safer when the state param is checked, so it may be worth changing the default behaviour.