search

omniauth / omniauth

OmniAuth is a flexible authentication system utilizing Rack middleware.
MIT License
7.91k stars 976 forks source link

OmniAuth::AuthenticityError Forbidden #1025

Closed hansenjl closed 3 years ago

hansenjl commented 3 years ago

Configuration

Expected Behavior

I should be able to send a request to google to login with oauth. All steps that I have completed work perfectly if I downgrade the omniauth gem version to 1.9.1 and utilize the omniauth-rails_csrf_protection gem for csrf protection.

Actual Behavior

When I use omniauth-2.0.0, I consistently receive the OmniAuth::AuthenticityError Forbidden error. On the error page, it is clear that I have an authenticity token because you can see it listed at the bottom.

Steps to Reproduce

Install 'omniauth-2.0.0' with the 'omniauth-google-oauth2' gem. Setup the omniauth.rb file to looks like this: 

Rails.application.config.middleware.use OmniAuth::Builder do
    provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET']
end

Click on the button to log in with google - it will make a POST request to this url: '"/auth/google_oauth2"

Then it raises the AuthenticityError Forbidden as a result of this method: 

def deny(_env)
      OmniAuth.logger.send(:warn, "Attack prevented by #{self.class}")
      raise AuthenticityError.new(options[:message])
   end

Full Traceback

omniauth (2.0.0) lib/omniauth/authenticity_token_protection.rb:25:in `deny'
rack-protection (2.1.0) lib/rack/protection/base.rb:54:in `react'
omniauth (2.0.0) lib/omniauth/authenticity_token_protection.rb:18:in `call!'
omniauth (2.0.0) lib/omniauth/authenticity_token_protection.rb:11:in `call'
omniauth (2.0.0) lib/omniauth/strategy.rb:236:in `request_call'
omniauth (2.0.0) lib/omniauth/strategy.rb:192:in `call!'
omniauth (2.0.0) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.0.0) lib/omniauth/builder.rb:45:in `call'
rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.2.3) lib/rack/etag.rb:27:in `call'
rack (2.2.3) lib/rack/conditional_get.rb:40:in `call'
rack (2.2.3) lib/rack/head.rb:12:in `call'
actionpack (6.0.3.4) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
rack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context'
rack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call'
actionpack (6.0.3.4) lib/action_dispatch/middleware/cookies.rb:648:in `call'
activerecord (6.0.3.4) lib/active_record/migration.rb:567:in `call'
actionpack (6.0.3.4) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport (6.0.3.4) lib/active_support/callbacks.rb:101:in `run_callbacks'
actionpack (6.0.3.4) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (6.0.3.4) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.3.4) lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
actionpack (6.0.3.4) lib/action_dispatch/middleware/debug_exceptions.rb:32:in `call'
web-console (4.1.0) lib/web_console/middleware.rb:132:in `call_app'
web-console (4.1.0) lib/web_console/middleware.rb:28:in `block in call'
web-console (4.1.0) lib/web_console/middleware.rb:17:in `catch'
web-console (4.1.0) lib/web_console/middleware.rb:17:in `call'
actionpack (6.0.3.4) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
railties (6.0.3.4) lib/rails/rack/logger.rb:37:in `call_app'
railties (6.0.3.4) lib/rails/rack/logger.rb:26:in `block in call'
activesupport (6.0.3.4) lib/active_support/tagged_logging.rb:80:in `block in tagged'
activesupport (6.0.3.4) lib/active_support/tagged_logging.rb:28:in `tagged'
activesupport (6.0.3.4) lib/active_support/tagged_logging.rb:80:in `tagged'
railties (6.0.3.4) lib/rails/rack/logger.rb:26:in `call'
sprockets-rails (3.2.2) lib/sprockets/rails/quiet_assets.rb:13:in `call'
actionpack (6.0.3.4) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
actionpack (6.0.3.4) lib/action_dispatch/middleware/request_id.rb:27:in `call'
rack (2.2.3) lib/rack/method_override.rb:24:in `call'
rack (2.2.3) lib/rack/runtime.rb:22:in `call'
activesupport (6.0.3.4) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
actionpack (6.0.3.4) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.3.4) lib/action_dispatch/middleware/static.rb:126:in `call'
rack (2.2.3) lib/rack/sendfile.rb:110:in `call'
actionpack (6.0.3.4) lib/action_dispatch/middleware/host_authorization.rb:82:in `call'
webpacker (4.3.0) lib/webpacker/dev_server_proxy.rb:23:in `perform_request'
rack-proxy (0.6.5) lib/rack/proxy.rb:57:in `call'
railties (6.0.3.4) lib/rails/engine.rb:527:in `call'
puma (4.3.7) lib/puma/configuration.rb:228:in `call'
puma (4.3.7) lib/puma/server.rb:713:in `handle_request'
puma (4.3.7) lib/puma/server.rb:472:in `process_client'
puma (4.3.7) lib/puma/server.rb:328:in `block in run'
puma (4.3.7) lib/puma/thread_pool.rb:134:in `block in spawn_thread'
BobbyMcWho commented 3 years ago

Hi @hansenjl, have you followed the rails example in the upgrading to 2.0 guide?

hansenjl commented 3 years ago

@BobbyMcWho Thank you for pointing that out! I did not see that upgrading to 2.0 guide. I implemented the steps listed there and added the example TokenVerifier class but I did have a few questions about it. The comment states: This specific implementation has been pared down and should not be taken as the most correct way to do this. What then would be the most correct way to do this? Would it be just copying the TokenVerifier class from here: https://github.com/cookpad/omniauth-rails_csrf_protection/blob/master/lib/omniauth/rails_csrf_protection/token_verifier.rb

Additionally, this may seem like a silly question, but organizationally, where would be the best place to add in the TokenVerifier class for a Rails application?

BobbyMcWho commented 3 years ago

No silly questions, others may have another opinion, but I'd say probably in lib.

I do have a PR open for omniauth-rails_csrf_protection that shows how I configure it if you were to use that gem