zquestz
commented
5 years ago Depends on your setup, are you using Rails or Sinatra? Are you using Devise? How are you setting up the login link?
Closed AleksandrLeontev closed 3 years ago
zquestz
commented
5 years ago Depends on your setup, are you using Rails or Sinatra? Are you using Devise? How are you setting up the login link?
AleksandrLeontev
commented
5 years ago @zquestz I use Rails 5.2 & Devise with omniauth
I have two providers for google. One just for SignIn and another one for another google integrations (extended scope).
The problem with state appeared recently. Why people advice do not use provider_ignores_state: true option?
zquestz
commented
5 years ago @AleksandrLeontev here is a good description I found.
CSRF attacks The primary reason for using the state parameter is to mitigate CSRF attacks.
When you use state for CSRF mitigation on the redirection endpoint, that means that within the state value there is a unique and non-guessable value associated with each authentication request about to be initiated. It’s that unique and non-guessable value that allows you to prevent the attack by confirming if the value coming from the response matches the one you expect (the one you generated when initiating the request). The state parameter is a string so you can encode any other information in it.
The way this works is that you send a random value when starting an authentication request and validate the received value when processing the response. This requires you to store something on the client application side (in session or another medium) that allows you to perform the validation. If you receive a response with a state that does not match, you may be the target of an attack because this is either a response for an unsolicited request or someone trying to forge the response. For more information, see Mitigate CSRF Attacks With State Parameters.
Ideally you want this to work with state being passed in.
AleksandrLeontev
commented
5 years ago @zquestz Thank you for information. Yes, looks like I should enable the state. Interesting fact, that I have this problem only for some gmail-user authentications, not for all clients...
For example for me it works with state, but for some users it doesn't work and it seems this problem has appeared recently. Will re-search...
zquestz
commented
5 years ago Let me know what you find! Would love to get this resolved!
zquestz
commented
3 years ago No info for over a year. Closing.
Logs: [0cd3486a-ff6b-433e-b743-43e5e7e40ea0] (google_oauth2) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
My configs: provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'], verify_iss: false
Should I use provider_ignores_state: true ?