You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When params[:state] check fails, omniauth-oauth2 raises a generic CallbackError with no description or labeling.
raise CallbackError.new(nil, :csrf_detected)
The use of CallbackError here is also very counter-intuitive. And in the code above, CallbackError always means an error raised by the OAuth2 provider originally:
Likewise, "invalid_credentials" would immediately imply authentication failure on the provider-side, since OAuth clients do not perform any user authentication at all during the authorization phase.
The params[:state] check is a client-side validation, at a bare minimum it should be reported as something different from provider-originated errors. It'd be better if a CSRF alert can be included either in the exception or the log on params[:state] check fails.
There's already several issues reported because of this non-descriptive CallbackError:
When params[:state] check fails, omniauth-oauth2 raises a generic CallbackError with no description or labeling.
The use of CallbackError here is also very counter-intuitive. And in the code above, CallbackError always means an error raised by the OAuth2 provider originally:
Likewise, "invalid_credentials" would immediately imply authentication failure on the provider-side, since OAuth clients do not perform any user authentication at all during the authorization phase.
The params[:state] check is a client-side validation, at a bare minimum it should be reported as something different from provider-originated errors. It'd be better if a CSRF alert can be included either in the exception or the log on params[:state] check fails.
There's already several issues reported because of this non-descriptive CallbackError:
#20
#32
#24
The text was updated successfully, but these errors were encountered: