This change will affect folks that want to use "state" param but could not.
Particular for omniauth-stripe-connect gem.
The commit make the assumption that state param will always be a SecureRandom.hex(24)
but not true.
Reverting back to this code below may be advice.
Let me know if i'm wrong :- )
options.authorize_params[:state] = SecureRandom.hex(24)
This is serious issue that need fixed. Almost omniauth oauth2 authentication are broken with CSRF issues. The issue is similar like this: mkdynamic/omniauth-facebook#73
Badly it is not only happened on facebook, but happened to all omniauth-xxxx gems which use version 1.1.0 of omniauth-oauth2.
Those issue could be handle by adding provider_ignores_state: true on omniauth configuration but i am afraid that the attacker can use weakness like this article:
If you need to persist data between the request and callback phases please use a session or the like. By allowing state to be set, we open ourselves up to cases where omniauth-oauth2 may be secure but, unbeknownst to a user, a provider gem may not.
There are many ways to handle the requested use-cases, in both this ticket and others, where we don't need to sacrifice security.
I'll just add that OmniAuth is already kind enough to persist in the session any extra params you may send in your request.
So instead of passing data with
and getting it with
data = params[:state]
You can pass it with
and get it with
data = request.env['omniauth.params']['data']
And I think you can even omit the request and get the data with:
data = env['omniauth.params']['data']
Maybe it would be worth adding this to the README?
@GuilhermeSimoes This would definitely be worth adding to the README.