Skip to content

'Could not authorize you from Facebook because "Csrf detected".' #73

tomsoderlund opened this Issue Jul 23, 2012 · 68 comments
joelvh commented Jul 27, 2012

Omniauth-oauth2 causes the CSRF detected error because something is redirecting to the callback URL twice in a row. First time the "state" value is there and your callback processes. Then immediately after, something redirects to the callback again, but the second time, the "state" value has been deleted from session and causes the error.

Here is where the state is verified and removed from session.

The question is, what is redirecting to the callback twice in a row? It only happens once in a while for me. My guess is Devise is accidentally storing the callback URL as the redirect URL? But not sure.....

afeld commented Aug 8, 2012

I'm seeing this twice in my logs each time I authorize:

(facebook) Callback phase initiated.

I'm trying to get post-auth redirects working with omniauth+devise, but it seems that the double redirects are clearing session['omniauth.origin'] as well. As a workaround, I created a new controller action that essentially does the following:

# app/controllers/omniauth_controller.rb

# GET /auth/fb_sso_proxy?return_to=...
def fb_sso_proxy
  session[:user_return_to] = params[:return_to] if params[:return_to]
  redirect_to user_omniauth_authorize_path(:facebook)

and do my authorization via Facebook through there - the redirect is then handled by Devise instead of OmniAuth. Would love to be able to remove this, though.

gaffo commented Aug 8, 2012

I'm getting the same issue but my error message unhelpful:

Started GET "/auth/facebook/callback?signed_request=REDACTED" for at 2012-08-08 23:18:32 +0000
(facebook) Callback phase initiated.
(facebook) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError

Started GET "/auth/failure?message=invalid_credentials&strategy=facebook" for at 2012-08-08 23:18:32 +0000

ActionController::RoutingError (No route matches [GET] "/auth/failure"):

If I take the csrf check out things work fine

nogeek commented Aug 31, 2012

+1 on this however I only get it when using iphone and not through browser

amichal commented Sep 10, 2012

in my initial tests it seems to be related browser caching. Shift-reload in Chrome works always. If i let the browser request caching it fails (most of the time)

iamryo commented Sep 19, 2012

I am getting this error with or without sandbox enabled. Can't seem to find a real solution...


Got the same problem, seems to only happen when my app gets embedded in the FB Canvas. I just switch back to the 1.4.0 omniauth-facebook gem and it works. I hope someone can fix this issue.

slash7 commented Oct 15, 2012

+1, same problem, only when using Canvas. Downgraded to 1.4.0 and it seems to work.

ajbraus commented Oct 16, 2012

+1 getting this problem when I try to upgrade.


+1, Downgraded to 1.4.0 and all seems good again?

jalcine commented Oct 16, 2012

We shouldn't have to downgrade to get this working.

I propose (since I'm kind of busy but I might try to do this) to do a diff of 1.4.0 and 1.4.1 and see what on Earth changed that made this happen.

iamryo commented Oct 16, 2012

I fixed this in my app and it now works with 1.4.1. Unfortunately, I fixed it many commits ago and am not entirely sure of the solution, but I definitely found that I had the FB credentials in both my devise and my omniauth initializers. This could have been making FB think I was trying to login more than once. Let me know if this helps.. I can take a closer look and see what else I did if this isn't the fix you are all looking for.

jalcine commented Oct 20, 2012

@IAMRYO that makes sense, but if that's the case, when Devise and Omniauth are used in collaboration and a strategy is defined in both libraries, one should take precedence over the other. If they're the same, then just use Devise's configuration.

slash7 commented Oct 21, 2012

@IAMRYO , That might be a different problem. I'm not using omniauth-facebook with devise.

jalcine commented Oct 22, 2012

I'm not sure if it does, but if Omniauth can communicate with its parent authorization scheme, then it shouldn't be breaking DRY.

emkman commented Nov 14, 2012

@IAMRYO Thank you! I had the same problem, where I first defined an omniauth initializer and then added the strategy to the devise config. Removing the omniauth initializer fixed this for me.


+1 -- works on 1.4.0, but not 1.4.1. FWIW, I am not using Devise ... just straight-up OAuth2 + omniauth-facebook


+1 had a devise initializer with an omniauth section and separate omniauth initializer. both defined fb credentials. removing one and restarting worked.

gmccue commented Dec 7, 2012

@miraclecoder -- +1 This worked for me too. I'm using Devise and Omniauth-facebook, removing the omniauth Facebook initialization removed the duplicate callback phase.

mgogov commented Dec 8, 2012

@IAMRYO , +1
Removing the devise config from a devise + omniauth app worked fine (omniauth-facebook 1.4.1)

  1. Ensured that the FB credentials are initialized only once
  2. Downgraded to omniauth-facebook v1.4.0, that relies on pre-1.1+ omniauth-oauth2 (1.0.3)

Same issue:

Could not authenticate you from Facebook because "Csrf detected".

It happens on heroku, yet I cannot reproduce on dev.


Happening for me too with devise and omniauth-facebook. Just spent about 5 hours trying to get it working before finding this!

deevis commented Jan 27, 2013

FYI - this same 'Csrf detected' problem can also be caused by having a domain name mismatch between your live site and the site url configured within your facebook application.


+1 in case there was any doubt. Removed my omniauth initializer and it started working again (1.4.1)


Running into the same issue here with Rails 3.2.13 and Omniauth_facebook 1.4.1 . Downgrading the 1.4.0 didn't fix for me and I'm only calling it in the devise initializer.


And the mystery deepens...

Using the exact same account I can authenticate with Facebook correctly using Google Chrome, but using Safari I encounter the afforementioned error.

Safari version: Version 6.0.4 (7536.29.13)
Google Chrome version: Version 27.0.1453.93


I've fixed this issue now. Mine was caused by another issue to the one described above. Posting here for anybody else who may have a similar cause:

zolzaya commented Jun 11, 2013

+1 getting this problem

novito commented Jul 6, 2013

I'm getting this issue with Rails 4.


Running into this issue on Rails 4 as well. What should we do?


+1 same here (rails 4) while using JS


Did you all try #73 (comment)

bethcrb commented Aug 1, 2013

In my case, it turned out to be somewhat of a red herring; the first issue was that I was still in sandbox mode so the domain didn't match in production, and the second issue had to do with certain data unexpectedly missing from the auth hash that Facebook returned. Regardless, neither problem was related to the omniauth-facebook gem; I've been using Rails 4.0 and Ruby 2.0 for months now and I haven't experienced any other issues.


In my case downgrading omniauth-facebook to 1.4.0 made it work.

Pepan commented Aug 14, 2013

One of possible reasons : response from facebook "[14/Aug/2013:11:33:07 +0200] "GET /users/auth/facebook/callback?error_code=2000&error_message=The+specified+feature+has+been+temporarily+disabled+for+this+application&state=75efb6d35c7988871ff407f039c799a0fb8ae1f27a9d0fd5 HTTP/1.1" 500 441 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0""

But information in message is misleading. Right reason is that user is underage for example (app has age restriction).


downgrade worked

kuon commented Aug 20, 2013

Seems linked to #107 and #70

artemave commented Oct 1, 2013


binnyg commented Oct 24, 2013

Telling OmniAuth to ignore the state(:provider_ignores_state => true) worked both with 1.4.1 and 1.4.0.

provider :facebook, APP_CONFIG['FB_APP_ID'], APP_CONFIG['FB_APP_SECRET'], {:scope => fb_permissions, :provider_ignores_state => true}

This is where I found the fix

I am using
omniauth (1.1.4)
omniauth-facebook (1.4.1)

cv711 commented Oct 28, 2013

Same issue here too!
I am using Rails 4.0 and Ruby 2.0, without Devise at the time, so fix from @betjaminrichards doesn't apply.
Also, tried the fix from @binnyg but it didn't work either.

Only downgrading worked for me.

simi commented Nov 7, 2013

Can anyone try if this #96 works?

/cc @cv711

rvion commented Nov 13, 2013

avec rails 4 et ruby 2:
omniauth seulement:

  • provider :facebook, xxxxxxxxx, yyyyyyyyy, {:provider_ignores_state => true}

omniauth + devise:

  • config.omniauth :facebook, xxxxxxxxx, yyyyyyyyy, {:provider_ignores_state => true}
@kenips kenips referenced this issue in doorkeeper-gem/doorkeeper Nov 27, 2013

CSRF Support? #324


This is the same issue as #107. Closing this one to avoid splitting the discussion further.

@mkdynamic mkdynamic closed this Dec 12, 2013

Since this is open, plus I found this via Google more readily than #107, I'll leave this here in hopes it will help future generations:

I am on omniauth-facebook 1.6.0 and still needed to add provider_ignores_state: true in my Omniauth config like so:

config.omniauth :facebook, ENV['FACEBOOK_APP_ID'], ENV['FACEBOOK_APP_SECRET'], {
  strategy_class: OmniAuth::Strategies::Facebook,
  provider_ignores_state: true,

After adding that config option, the CSRF error goes away.


provider_ignores_state: true had already been mentioned. However, be aware that you are making your app susceptible to CSRF attacks by using that option.

provider_ignores_state: true is NOT a permanent solution.


@guilhermesimoes Is there a non chmod 777 option? As much as I'd like to engage Igor H., I'd prefer that we not have a security fail too soon.


True, you wouldn't want to mess with Homakov.

This is probably not the answer you're looking for but omniauth-facebook should work out of the box. If you use it solo (without any other gem) and set it up properly it should work. I'm using it with devise at this moment and it's working fine as well.

However, it seems to me like any deviation from the normal omniauth-facebook flow seems to trigger CSRF detection. So far, here are some of the things that seem to do it:

  • Defining your app credentials in two different initializers, usually omniauth.rb and devise.rb. source

  • Having a domain name mismatch between your live site and the site url configured within your OAuth application. source

  • Having a cookie domain that doesn't match the redirect_uri. source

  • Leaving the facebook application in sandbox mode, so the domain name doesn't match the production one. source

  • Adding a before_filter :authenticate to the OmniauthCallbacksController or ApplicationController (since OmniauthCallbacksController inherits from ApplicationController). source

  • Using omniauth-facebook in conjunction with Facebook's client-side flow. source

  • Messing with the state param.


I just got this error for omniauth-facebook with rails 3.2 and ruby 2.1.1 (it also occurs with omniauth-google_oauth2).

omniauth-facebook 1.6.0.

In my case it appears to be related to having cross-domain client-side sessions set up with

 My::Application.config.session_store :cookie_store,
                                    :key => '_my_app_session',
                                    :domain => :all,
                                    :tld_length => 2

removing the last 2 lines fixed it.

nneal commented Jun 25, 2014

I just got this issue as well. Rails 4.1.1, omniauth 1.6.0, Devise 3.2.4. I'm configuring FB auth only in one place (Devise). is only happening for some users sometimes, and I couldn't find a link between the cases. I'll report back if I can find a fix.

PS: downgrading to 1.4.0 caused other, more substantial bugs





simi commented Jul 6, 2014

Can anyone modify repo example to get this error?

scomma commented Jul 18, 2014

+1 Still getting this intermittently (quite randomly) with 1.6.0. Impossible to debug.

hajder commented Jul 27, 2014

Same here, problem randomly occurring on 1.6.0 but ONLY on a test host, maybe it has something to do with Facebook settings? Rails, Devise, etc versions the same between the instances.


+1 with omniauth-facebook (1.6.0) / omniauth-oauth2 (1.2.0) / omniauth (1.2.2)

hajder commented Aug 5, 2014

Ok, me problem lied in the fact that I had HTTP basis auth in application controller which kicked in AFTER omniauth but before the actual request. Browser behaviour was to redo the request, but state param was already removed from session by the first request.

Probably not a case for most of you but may help someone.

joshco commented Oct 21, 2014

Ahh.I also have httpauth invovled




Removing config.omniauth :facebook, ... from initializers/devise.rb made it work for me.

I was double loading it within omniauth-facebook.rb from mixing two tutorials.



Safari browser facebook login throws csrf_token error.
This only happened on development and staging environments.


I had this issue using:

  • rails 4
  • devise 3.4.0


I removed http_auth from my dev and staging environments controllers.


Upgrading to omniauth-facebook 2.0.0 fixed the issue for me (using FB JS SDK).
From the changelog: fix CSRF exception when using FB JS SDK and parsing signed request (765ed9, @mkdynamic)

simi commented Jan 3, 2015

Thanks for info @AlvaroOlivencia!

hecbuma commented Jan 30, 2015

For me was HTTP Auth the issue, I just get rid of it and that was all

BenV commented Feb 11, 2015

We ran into this issue after turning on encrypted cookies in Rails. Turns out we were making a simultaneous request when starting the auth flow which was overwriting the omniauth state. This didn't happen before encrypted cookies because they were only sent when changed. This post sums the issue up nicely:

mirzoz commented Jan 12, 2016

@emkman, your method really works! thanks bro!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.