Open TheRealNeil opened 1 year ago
What SameSite-config do you have?
We ran into errors like this after upgrading to Samesite=lax. Found the reason in this blog post: https://www.ubisecure.com/technical-announcements/samesite-cookies-changes/
Caution: unless some of the OIDC integrations are using response_mode=form_post
So if Microsoft Azure AD supports other response_modes I would suggest removing response_mode=form_post
.
Are you using the gem omniauth-rails_csrf_protection, or have you included something like this? It's needed when using omniauth v2. I remember getting some csrf related errors and adding the gem, plus the skip_forgery_protection
, and that seemed to solve them.
Might not be the same though, I'm not using the same provider.
I had the same issue in development, but it was my fault and super easy to fix: I was using "http://127.0.0.1:3000/..." when accessing my app but the callback had to point to a domain, so I had to use "http://localhost:3000/..." for it. This of course doesn't work, because the cookie that contains the state gets lost when the domain is switched by the redirect happening in the callback. Simply always using "http://localhost:3000/..." fixed the issue for me.
Hi,
I am trying to configure omniauth_openid_connect to work with Devise and Microsoft Azure AD. I have the following config for devise
When attempting to authenticate, I see the following errors in my rails log
Adding
skip_forgery_protection
to myOmniauthCallbacksController
results in just the csrf errorCan anyone offer me any guidance?
Thanks, Neil