Closed obregonia1 closed 1 year ago
Rather then removing the nonce claim I opted to store it additionally in a sameSite: :none cookie which only lives during the authentication with apple stage:
module OmniAuth
module Strategies
class Apple < OmniAuth::Strategies::OAuth2
private
def new_nonce
nonce = SecureRandom.urlsafe_base64(16)
session["omniauth.nonce"] = nonce
cookies.encrypted[:apple_auth_params] =
{ same_site: :none, expires: 1.hour.from_now, secure: true, value: nonce }
nonce
end
def stored_nonce
nonce = session.delete("omniauth.nonce") || cookies.encrypted[:apple_auth_params]
cookies.delete :apple_auth_params
nonce
end
def cookies
request.env["action_dispatch.cookies"]
end
end
end
end
add this monkey-patch to an initializer. The session will be a new one in most cases when the callback is invoked with a POST from the apple side.
@bvogel LGTM!! How about do you create PR with this solution? I close this PR, after your PR will be merged.
i tried to add this to my initializer and i get this error @bvogel @obregonia1
(apple) Authentication failure! undefined method encrypted' for nil:NilClass: NoMethodError, undefined method
encrypted' for nil:NilClass
This error is when it tries to run this line cookies.encrypted[:apple_auth_params] = { same_site: :none, expires: 1.hour.from_now, secure: true, value: nonce }
Has anyone experienced something similar?
better try using the code from PR #107 - we currently run that in our production system. On the other hand a monkey patch like the one above shouldn't be executed during startup, it's just another class definition were only class name and methods are identified.
@bvogel Thanks. Due to circumstances, we no longer need to use this library, so we are not using this change.
I hope discuss in #107 will be going in the right direction.
i tried to add this to my initializer and i get this error @bvogel @obregonia1 (apple) Authentication failure! undefined method
encrypted' for nil:NilClass: NoMethodError, undefined method
encrypted' for nil:NilClassThis error is when it tries to run this line
cookies.encrypted[:apple_auth_params] = { same_site: :none, expires: 1.hour.from_now, secure: true, value: nonce }
Has anyone experienced something similar?
I fixed this issue by swapping out
def cookies
request.env["action_dispatch.cookies"]
end
to
def cookies
@_request ||= ActionDispatch::Request.new(request.env)
@_request.cookie_jar
end
I removed nonce comparison. I failed authentification with omniauth-apple 1.3.0, and I found that
session['omniauth.nonce']
is nil.session['omniauth.nonce']
is assigned after calledauthorize_params
, butauthorize_params
is never called. In addition,session['omniauth.nonce']
is generated in application, and id_token[:nonce] is generated server in Apple.ref #102
ref #103