search

kmrshntr / omniauth-slack

omniauth-slack
MIT License
95 stars 156 forks source link

Sign in via Slack causes 500 error "csrf_detected | CSRF detected" #60

Open noahd1 opened 6 years ago

noahd1 commented 6 years ago

Unsure at the moment what causes this, but it seems, googling around, that it's perhaps not specific to omniauth-slack, but I don't understand the problem well enough to say.

Stacktrace:

web_1  | I, [2018-02-28T19:28:30.178720 #1]  INFO -- omniauth: (slack) Callback phase initiated.
web_1  | E, [2018-02-28T19:28:30.185502 #1] ERROR -- omniauth: (slack) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
web_1  | E, [2018-02-28T19:28:30.185941 #1] ERROR -- omniauth: (slack) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
web_1  |
web_1  | OmniAuth::Strategies::OAuth2::CallbackError (csrf_detected | CSRF detected):
web_1  |
web_1  | omniauth (1.8.1) lib/omniauth/failure_endpoint.rb:25:in `raise_out!'
web_1  | omniauth (1.8.1) lib/omniauth/failure_endpoint.rb:20:in `call'
web_1  | omniauth (1.8.1) lib/omniauth/failure_endpoint.rb:12:in `call'
web_1  | omniauth (1.8.1) lib/omniauth/strategy.rb:486:in `fail!'
web_1  | omniauth-oauth2 (1.3.1) lib/omniauth/strategies/oauth2.rb:75:in `callback_phase'
web_1  | omniauth (1.8.1) lib/omniauth/strategy.rb:236:in `callback_call'
web_1  | omniauth (1.8.1) lib/omniauth/strategy.rb:188:in `call!'
web_1  | omniauth (1.8.1) lib/omniauth/strategy.rb:168:in `call'
web_1  | omniauth (1.8.1) lib/omniauth/strategy.rb:190:in `call!'
web_1  | omniauth (1.8.1) lib/omniauth/strategy.rb:168:in `call'
web_1  | omniauth (1.8.1) lib/omniauth/builder.rb:63:in `call'

Other Omniauth issues related to CSRF:

omniauth/omniauth-github#37 omniauth/omniauth-oauth2#32 auth0/omniauth-auth0#49

Initializer code:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :slack, ENV['SLACK_APP_ID'], ENV['SLACK_APP_SECRET'], scope: 'identity.basic', name: :sign_in_with_slack, team: "foo"
  provider :slack, ENV['SLACK_APP_ID'], ENV['SLACK_APP_SECRET'], scope: 'dnd:read,dnd:write', team: "foo"
end

Versions:

jayelkaake commented 2 years ago

I think this happens because Slack does not always provide the state value if you come from their end, although I haven't been able to figure out a solution to that...