search

heartcombo / devise

Flexible authentication solution for Rails with Warden.
http://blog.plataformatec.com.br/tag/devise/
MIT License
23.92k stars 5.54k forks source link

Omniauth SAML callback triggers ActionController::InvalidAuthenticityToken #5210

Open spemmons opened 4 years ago

spemmons commented 4 years ago

Environment

Current behavior

When 'protect_from_forgery' is in use, ActionController::InvalidAuthenticityToken is triggered when receiving a callback request from the SAML IdP.

The fix was to add the following to ApplicationController:

skip_forgery_protection if: :saml_callback_path?

  def saml_callback_path?
    request.fullpath == '/.../auth/saml/callback'
  end

Expected behavior

This is fine, but what I would really like is an elegant way to add this to the appropriate Devise controller so with something like:

skip_forgery_protection only: '???' <-- where ??? is whatever the action method name is for the callback
rajdeepbhatia commented 1 year ago

Hey @spemmons, any luck resolving this issue?