Skip to content

Omniauth-Auth0 3.0 #128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
davidpatrick merged 2 commits into from
Apr 15, 2021
Merged

Omniauth-Auth0 3.0 #128

davidpatrick merged 2 commits into from
Apr 15, 2021

Conversation

@davidpatrick
Copy link
Contributor

@davidpatrick davidpatrick commented Apr 14, 2021
edited
Loading

v3.0.0 (2021-04-14)

Version 3.0 introduces Omniauth v2.0 which addresses CVE-2015-9284. Omniauth now defaults to only allow POST as the allowed request_phase method.

Upgrading to omniauth-rails_csrf_protection v1.0.0

The mitigation to CVE-2015-9284 included using omniauth-rails_csrf_protection to provide CSRF protection.

You will still need to install this gem, additionally update it to the latest 1.x.x version

BREAKING CHANGES

Now that OmniAuth now defaults to only POST as the allowed request_phase method, you will need to convert any login links to use form helpers with the POST method.

# OLD
<a href='/auth/auth0'>Login</a>

# NEW Example #1
<%= link_to 'Login', 'auth/auth0', method: :post %>

# NEW Example #2
<%= button_to 'Login', 'auth/auth0', method: :post %>

# NEW Example #3
<%= form_tag('/auth/auth0', method: :post) do %>
  <button type='submit'></button>
<% end %>

Allowing GET Requests

In the scenario you absolutely must use GET requests as an allowed request method for authentication, you can override the protection provided with the followign config override:

OmniAuth.config.allowed_request_methods = [:get, :post]

@davidpatrick davidpatrick requested a review from a team as a code owner April 14, 2021 23:04
@davidpatrick davidpatrick merged commit cc67dd7 into master Apr 15, 2021
@davidpatrick davidpatrick mentioned this pull request Apr 15, 2021
Closed
brenetic added a commit to ministryofjustice/fb-editor that referenced this pull request Apr 20, 2021
@brenetic
Remove CSRF spec
a7ca273 
Moving to [version 3](auth0/omniauth-auth0#128) of omniauth-auth0, which uses Omniauth v2.0, combined
with omniauth-rails_csrf_protection mitigates [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284)
@farjadfazli
Copy link

farjadfazli commented Apr 26, 2021

@davidpatrick does upgrading to omniauth-auth0 3.0 gem still require us to do the mitigation for CVE-2015-9284 and/or use the omniauth-rails_csrf_protection gem as well? We just ran a bundle update on our repo and it updated to omniauth-auth0 3.0 but now our auth0 specs are failing with the below error:

I, [2021-04-26T11:20:38.980836 #78017]  INFO -- :   Parameters: {"message":"authenticity_error","strategy":"auth0"}
  allows new user signup (FAILED - 1)

Any advice/guidance would be greatly appreciated! 🙂

@davidpatrick
Copy link
Contributor Author

davidpatrick commented Apr 27, 2021

@farjadfazli yes you will need to update omniauth-rails_csrf_protection to 1.x.x. The new version of omniauth basically made the default behavior of the library to force the mitigation.

@sam0x17
Copy link

sam0x17 commented Apr 30, 2021

We have implemented the above fix but we are encountering the following issue:

An error occurred while loading spec_helper.
Failure/Error: Jets.boot

NameError:
  uninitialized constant OmniAuth::RailsCsrfProtection::Rails

We are using Ruby on Jets so it could be that we need to patch it to work with Jets. @tongueroo any ideas and/or should we open an issue on the Jets repo?

@tongueroo
Copy link

tongueroo commented May 3, 2021

@sam0x17 Bummed about this. It's not really a Jets patch issue. Also,OmniAuth::RailsCsrfProtection::Rails is really designed for Rails. Covered some more thoughts on this here: https://community.boltops.com/t/current-state-of-building-authentication-and-authorization-in-jets/691/2 So not an ideal answer but at least wanted to give you the current thoughts. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jimmyjames jimmyjames jimmyjames approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@davidpatrick @farjadfazli @sam0x17 @tongueroo @jimmyjames