omniauth / omniauth_openid_connect

MIT License
170 stars 187 forks source link

Actioncontroller::InvalidAuthenticityToken with omniauth_openid_connect and omniauth-rails_csrf_protection #173

Open mchavarriagam opened 9 months ago

mchavarriagam commented 9 months ago

Hi,

I'm running Rails v5.2.6 with Ruby v2.5.8, omniauth v2.1.2, omniauth-rails_csrf_protection v1.0.1, and omniauth_openid_connect v0.6.1, working on LTI 1.3 integration (https://andyfmiller.com/2018/12/28/launching-an-lti-1-3-resource-link-using-openid-connect-third-party-login/).

When a third party POST request comes into our OIDC auth endpoint (/auth/openid_connect), omniauth starts the request validation phase (https://github.com/omniauth/omniauth/blob/master/lib/omniauth/strategy.rb#L240) which ultimately fails in omniauth-rails_csrf_protection with verified_request? being false (https://github.com/cookpad/omniauth-rails_csrf_protection/blob/main/lib/omniauth/rails_csrf_protection/token_verifier.rb#L33).

I assume(?) that this being a third party POST request into our OIDC auth would mean no valid request authenticity tokens would be sent (if this is the case then no request validation phase should take place for this specific request?), but I'm not sure how to prevent the request validation phase from being triggered. My assumption may also be incorrect, in which case I'm not sure how to proceed.

I tried adding skip_before_action :verify_authenticity_token in the omniauth_callbacks controller but that didn't work. Is there a way to configure omniauth_openid_connect to skip authenticity token verification when posted to "passthru", and if so, is that advisable?

Thanks.

testmoez03 commented 5 months ago

@mchavarriagam Hi I have the same issue. Did you manage to fix this ?