search

nhosoya / omniauth-apple

OmniAuth strategy for Sign In with Apple
MIT License
260 stars 99 forks source link

Authentication failure! HTTP Origin header (https://appleid.apple.com) didn't match request.base_url (https://mysite.com) #100

Closed jlxq0 closed 1 year ago

jlxq0 commented 1 year ago

(I'm not sure if this is a duplicate with #76 or a new issue. Even if it is, I cannot make it work with any of the hints in that issue.)

I can successfully authenticate with apple, but then the callback fails with the following error:

2022-11-04T03:42:46.488017+00:00 app[web.1]: E, [2022-11-04T03:42:46.487931 #4] ERROR -- omniauth: (apple) Authentication failure! nonce_mismatch: OmniAuth::Strategies::OAuth2::CallbackError, nonce_mismatch | nonce mismatch
2022-11-04T03:42:46.488850+00:00 app[web.1]: I, [2022-11-04T03:42:46.488804 #4]  INFO -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f] Processing by Users::OmniauthCallbacksController#failure as HTML
2022-11-04T03:42:46.488883+00:00 app[web.1]: I, [2022-11-04T03:42:46.488859 #4]  INFO -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f]   Parameters: {"state"=>"cd7afa0a1bc11f655a0fe7cd737bb31c68636be05dfe1c86", "code"=>"cec90bc3ac5664ddbbb3d7890c59a8ded.0.rrtrs.wm71iFY5KsYGMy2F1nnW9g"}
2022-11-04T03:42:46.489141+00:00 app[web.1]: W, [2022-11-04T03:42:46.489114 #4]  WARN -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f] HTTP Origin header (https://appleid.apple.com) didn't match request.base_url (https://mysite.com)
2022-11-04T03:42:46.489474+00:00 app[web.1]: I, [2022-11-04T03:42:46.489445 #4]  INFO -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f] Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms | Allocations: 311)
2022-11-04T03:42:46.489572+00:00 app[web.1]: E, [2022-11-04T03:42:46.489547 #4] ERROR -- omniauth: (apple) Authentication failure! HTTP Origin header (https://appleid.apple.com) didn't match request.base_url (https://mysite.com): ActionController::InvalidAuthenticityToken, HTTP Origin header (https://appleid.apple.com) didn't match request.base_url (https://mysite.com)
2022-11-04T03:42:46.489950+00:00 app[web.1]: I, [2022-11-04T03:42:46.489918 #4]  INFO -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f] Processing by Users::OmniauthCallbacksController#failure as HTML
2022-11-04T03:42:46.489979+00:00 app[web.1]: I, [2022-11-04T03:42:46.489960 #4]  INFO -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f]   Parameters: {"state"=>"cd7afa0a1bc11f655a0fe7cd737bb31c68636be05dfe1c86", "code"=>"cec90bc3ac5664ddbbb3d7890c59a8ded.0.rrtrs.wm71iFY5KsYGMy2F1nnW9g"}
2022-11-04T03:42:46.490085+00:00 app[web.1]: W, [2022-11-04T03:42:46.490059 #4]  WARN -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f] HTTP Origin header (https://appleid.apple.com) didn't match request.base_url (https://mysite.com)
2022-11-04T03:42:46.490270+00:00 app[web.1]: I, [2022-11-04T03:42:46.490248 #4]  INFO -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f] Completed 422 Unprocessable Entity in 0ms (ActiveRecord: 0.0ms | Allocations: 140)
2022-11-04T03:42:46.490989+00:00 app[web.1]: F, [2022-11-04T03:42:46.490944 #4] FATAL -- : [b4b4effc-cef6-4567-9509-3d18b9daf37f]
2022-11-04T03:42:46.490989+00:00 app[web.1]: [b4b4effc-cef6-4567-9509-3d18b9daf37f] ActionController::InvalidAuthenticityToken (HTTP Origin header (https://appleid.apple.com) didn't match request.base_url (https://mysite.com)):
2022-11-04T03:42:46.490990+00:00 app[web.1]: [b4b4effc-cef6-4567-9509-3d18b9daf37f]
2022-11-04T03:42:46.490990+00:00 app[web.1]: [b4b4effc-cef6-4567-9509-3d18b9daf37f] actionpack (7.0.4) lib/action_controller/metal/request_forgery_protection.rb:251:in `handle_unverified_request'

I'm on ruby 3.1.2p20 and Rails 7.0.4; using devise, omniauth and omniauth-google-oauth2 successfully.

My callback controller for apple looks like this:

  def apple
    user = User.from_omniauth(auth)

    if user.present?
      sign_out_all_scopes
      flash[:success] = 'Success'
      sign_in_and_redirect user, event: :authentication
    else
      flash[:alert] = 'OAuth failure'
      redirect_to new_user_session_path
    end
  end

Is there a working minimal example app I could check out?

nov commented 1 year ago

Since Apple's AuthZ response is POST, you need SameSite=none cookie on some browsers.

jlxq0 commented 1 year ago

Do you have an example app (or code) or a hint on how to implement this for some browsers?

nov commented 1 year ago

https://bogdanvlviv.com/posts/ruby/rails/samesite-cookies-and-rails.html

jlxq0 commented 1 year ago

I think I am one step closer – however I'm not being logged in. Does the callback controller for apple look different from the other providers due to the POST instead of GET? Do you have an example?

jlxq0 commented 1 year ago

Nvm my last comment. My problem was that the user(-email) already existed from another provider and thus the sign up failed (relatively silently). Now it is working.

jakeNiemiec commented 1 year ago

https://bogdanvlviv.com/posts/ruby/rails/samesite-cookies-and-rails.html

@nov, do you happen to have another example? That site is gone and there is no google cache or wayback snapshot to view it.

dcrec1 commented 1 year ago

To avoid this I added the following code to the Omniauth callbacks controller:

  def verified_request?
    action_name == 'apple' || super
  end
seballot commented 1 year ago

Thanks @dcrec1 ! but for me I needed following code, and on ApplicationController.rb

# ApplicationController.rb

def verified_request?
    controller_name == "omniauth_callbacks" || super
end