pablomarti
commented
3 years ago I am getting exactly the same error.
Closed classicboy closed 1 year ago
pablomarti
commented
3 years ago I am getting exactly the same error.
pablomarti
commented
3 years ago Hey @classicboy check this out: https://github.com/nhosoya/omniauth-apple/issues/54#issuecomment-662741233 and https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
SwannG
commented
3 years ago Hello everyone, I was getting an "Can't verify CSRF token authenticity" after Apple sign in page. As said by @pablomarti I added the gem : https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 but now I'm getting an "ActionController::InvalidAuthenticityToken" just like you @classicboy. Did you managed to fix your issue ? Any idea on what's going on and how to fix it ?
esellin
commented
3 years ago See this interesting discussion from the Discourse guys trying to implement Apple SSO on their website.
The trouble is Apple using a POST for the final redirect. i created a dedicated controller in my Rails app to receive this POST request from Apple, on which I specifically disable all CSRF checks, and this controller just redirects to the standard OmniAuth callback URL like this:
redirect_to "/users/auth/apple/callback?state=#{request.params["state"]}&code=#{request.params["code"]}"From testing with Apple SSO on the Discourse website, it looks like this is what they are doing.
Hope this helps!
SwannG
commented
3 years ago @esellin thanks for the answer !
I finally managed to make it work by adding skip_before_action :verify_authenticity_token, only: :apple at the top of my omniauth_callbacks_controller.rb but after I was getting Can't verify CSRF token authenticity. and to fix it in config/initializers/session_store.rb I removed the domain: ...
Meat-Chopper
commented
3 years ago Is it possible to implement something like Discourse plugin solution https://github.com/discourse/discourse-apple-auth/blob/40ef076fa744d562ce54f3f30921a1b387e042fb/lib/omniauth_apple.rb#L60 in this gem?
wilg
commented
3 years ago @esellin Your solution worked for me, though I had to also pass through user to get the user name properly. However, once I added Sign In With Apple JS it stopped working and started failing with csrf_detected.
Anybody have ideas?
rbarrera87
commented
2 years ago Did you solve your issue @wilg?
wilg
commented
2 years ago I think I did get it working but can't look up the solution at this moment.
rbarrera87
commented
2 years ago No worries @wilg I will keep investigating, the thing is that I am working with a Rails API and the solution from @Meat-Chopper does not work for me. If I find the answer I will post it here.
nov
commented
1 year ago set SameSite=none on your cookie
salzig
commented
1 year ago Instead of opening up the session to potential security risks, we may merge #107 and allow the nonce to be stored in its own encypted cookie?
I am using this gem together with Devise for 'Sign in with Apple' feature from my web. Everything work fine when redirect to Apple Sign in page. But after succesful sign in, a callback to my web and error happen ( in local enviroment ). I only can fix this error if add protect_from_forgery prepend: true, only: :apple to the top of OmniauthCallbacksController. But I dont think this is the right way to fix it.