Closed hansenjl closed 3 years ago
Hi @hansenjl, have you followed the rails example in the upgrading to 2.0 guide?
@BobbyMcWho Thank you for pointing that out! I did not see that upgrading to 2.0 guide. I implemented the steps listed there and added the example TokenVerifier class but I did have a few questions about it. The comment states: This specific implementation has been pared down and should not be taken as the most correct way to do this.
What then would be the most correct way to do this? Would it be just copying the TokenVerifier class from here: https://github.com/cookpad/omniauth-rails_csrf_protection/blob/master/lib/omniauth/rails_csrf_protection/token_verifier.rb
Additionally, this may seem like a silly question, but organizationally, where would be the best place to add in the TokenVerifier class for a Rails application?
No silly questions, others may have another opinion, but I'd say probably in lib.
I do have a PR open for omniauth-rails_csrf_protection that shows how I configure it if you were to use that gem
Configuration
omniauth-2.0.0
2.6.1
Rails 6.0.3.4
macOS Cataline 10.15
Expected Behavior
I should be able to send a request to google to login with oauth. All steps that I have completed work perfectly if I downgrade the omniauth gem version to 1.9.1 and utilize the omniauth-rails_csrf_protection gem for csrf protection.
Actual Behavior
When I use omniauth-2.0.0, I consistently receive the
OmniAuth::AuthenticityError Forbidden
error. On the error page, it is clear that I have an authenticity token because you can see it listed at the bottom.Steps to Reproduce
Install 'omniauth-2.0.0' with the 'omniauth-google-oauth2' gem. Setup the omniauth.rb file to looks like this:
Click on the button to log in with google - it will make a POST request to this url: '"/auth/google_oauth2"
Then it raises the AuthenticityError Forbidden as a result of this method:
Full Traceback