New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
'Could not authorize you from Facebook because "Csrf detected".' #73
Comments
same is the issue with omniauth-oauth2 |
Omniauth-oauth2 causes the CSRF detected error because something is redirecting to the callback URL twice in a row. First time the "state" value is there and your callback processes. Then immediately after, something redirects to the callback again, but the second time, the "state" value has been deleted from session and causes the error. Here is where the state is verified and removed from session. https://github.com/intridea/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L71 The question is, what is redirecting to the callback twice in a row? It only happens once in a while for me. My guess is Devise is accidentally storing the callback URL as the redirect URL? But not sure..... |
I'm seeing this twice in my logs each time I authorize:
I'm trying to get post-auth redirects working with omniauth+devise, but it seems that the double redirects are clearing # app/controllers/omniauth_controller.rb
# GET /auth/fb_sso_proxy?return_to=...
def fb_sso_proxy
session[:user_return_to] = params[:return_to] if params[:return_to]
redirect_to user_omniauth_authorize_path(:facebook)
end and do my authorization via Facebook through there - the redirect is then handled by Devise instead of OmniAuth. Would love to be able to remove this, though. |
I'm getting the same issue but my error message unhelpful: Started GET "/auth/facebook/callback?signed_request=REDACTED" for 140.239.148.226 at 2012-08-08 23:18:32 +0000 Started GET "/auth/failure?message=invalid_credentials&strategy=facebook" for 140.239.148.226 at 2012-08-08 23:18:32 +0000 ActionController::RoutingError (No route matches [GET] "/auth/failure"): If I take the csrf check out things work fine |
+1 on this however I only get it when using iphone and not through browser |
in my initial tests it seems to be related browser caching. Shift-reload in Chrome works always. If i let the browser request caching it fails (most of the time) |
I am getting this error with or without sandbox enabled. Can't seem to find a real solution... |
Got the same problem, seems to only happen when my app gets embedded in the FB Canvas. I just switch back to the 1.4.0 omniauth-facebook gem and it works. I hope someone can fix this issue. |
+1, same problem, only when using Canvas. Downgraded to 1.4.0 and it seems to work. |
+1 getting this problem when I try to upgrade. |
+1, Downgraded to 1.4.0 and all seems good again? |
We shouldn't have to downgrade to get this working. I propose (since I'm kind of busy but I might try to do this) to do a diff of 1.4.0 and 1.4.1 and see what on Earth changed that made this happen. |
I fixed this in my app and it now works with 1.4.1. Unfortunately, I fixed it many commits ago and am not entirely sure of the solution, but I definitely found that I had the FB credentials in both my devise and my omniauth initializers. This could have been making FB think I was trying to login more than once. Let me know if this helps.. I can take a closer look and see what else I did if this isn't the fix you are all looking for. |
@iamryo that makes sense, but if that's the case, when Devise and Omniauth are used in collaboration and a strategy is defined in both libraries, one should take precedence over the other. If they're the same, then just use Devise's configuration. |
@iamryo , That might be a different problem. I'm not using omniauth-facebook with devise. |
I'm not sure if it does, but if Omniauth can communicate with its parent authorization scheme, then it shouldn't be breaking DRY. |
@iamryo Thank you! I had the same problem, where I first defined an omniauth initializer and then added the strategy to the devise config. Removing the omniauth initializer fixed this for me. |
+1 -- works on 1.4.0, but not 1.4.1. FWIW, I am not using Devise ... just straight-up OAuth2 + omniauth-facebook |
+1 had a devise initializer with an omniauth section and separate omniauth initializer. both defined fb credentials. removing one and restarting worked. |
@miraclecoder -- +1 This worked for me too. I'm using Devise and Omniauth-facebook, removing the omniauth Facebook initialization removed the duplicate callback phase. |
@iamryo , +1 |
Same issue:
It happens on heroku, yet I cannot reproduce on dev. |
Happening for me too with devise and omniauth-facebook. Just spent about 5 hours trying to get it working before finding this! |
FYI - this same 'Csrf detected' problem can also be caused by having a domain name mismatch between your live site and the site url configured within your facebook application. |
+1 in case there was any doubt. Removed my omniauth initializer and it started working again (1.4.1) |
Running into the same issue here with Rails 3.2.13 and Omniauth_facebook 1.4.1 . Downgrading the 1.4.0 didn't fix for me and I'm only calling it in the devise initializer. |
And the mystery deepens... Using the exact same account I can authenticate with Facebook correctly using Google Chrome, but using Safari I encounter the afforementioned error. Safari version: Version 6.0.4 (7536.29.13) |
Since this is open, plus I found this via Google more readily than #107, I'll leave this here in hopes it will help future generations: I am on omniauth-facebook 1.6.0 and still needed to add
After adding that config option, the CSRF error goes away. |
|
@guilhermesimoes Is there a non chmod 777 option? As much as I'd like to engage Igor H., I'd prefer that we not have a security fail too soon. |
True, you wouldn't want to mess with Homakov. This is probably not the answer you're looking for but However, it seems to me like any deviation from the normal
|
We got a similar to this error by double configuring in an omniauth initializer and devise config. Nuking the former fixed the csrf weirdness (we're also using twitters secure_headers gem)— On Tue, Mar 18, 2014 at 6:51 PM, Guilherme Simões
|
I just got this error for omniauth-facebook with rails 3.2 and ruby 2.1.1 (it also occurs with omniauth-google_oauth2). omniauth-facebook 1.6.0. In my case it appears to be related to having cross-domain client-side sessions set up with
removing the last 2 lines fixed it. |
I just got this issue as well. Rails 4.1.1, omniauth 1.6.0, Devise 3.2.4. I'm configuring FB auth only in one place (Devise). is only happening for some users sometimes, and I couldn't find a link between the cases. I'll report back if I can find a fix. PS: downgrading to 1.4.0 caused other, more substantial bugs |
+1 |
1 similar comment
+1 |
Can anyone modify repo example to get this error? |
+1 Still getting this intermittently (quite randomly) with 1.6.0. Impossible to debug. |
Same here, problem randomly occurring on 1.6.0 but ONLY on a test host, maybe it has something to do with Facebook settings? Rails, Devise, etc versions the same between the instances. |
+1 with omniauth-facebook (1.6.0) / omniauth-oauth2 (1.2.0) / omniauth (1.2.2) |
Ok, me problem lied in the fact that I had HTTP basis auth in application controller which kicked in AFTER omniauth but before the actual request. Browser behaviour was to redo the request, but state param was already removed from session by the first request. Probably not a case for most of you but may help someone. |
Ahh.I also have httpauth invovled |
+1 |
Removing I was double loading it within |
ProblemSafari browser facebook login throws csrf_token error. SetupI had this issue using:
FixI removed http_auth from my dev and staging environments controllers. |
Upgrading to omniauth-facebook 2.0.0 fixed the issue for me (using FB JS SDK). |
Thanks for info @AlvaroOlivencia! |
For me was HTTP Auth the issue, I just get rid of it and that was all |
We ran into this issue after turning on encrypted cookies in Rails. Turns out we were making a simultaneous request when starting the auth flow which was overwriting the omniauth state. This didn't happen before encrypted cookies because they were only sent when changed. This post sums the issue up nicely: http://techbrahmana.blogspot.com/2013/10/invalid-credentails-omniauth-oauth2.html |
@emkman, your method really works! thanks bro! |
So |
*SOLUTION that worked for me: clearing computer temps and cache, and clearing the browser. Reopening app. CSFR is a Cross Site Request Forgery. So, in this case, either it is a real attack happening or the site/app OKTA SSO verification system just thinks there is a Csfr going on. If it is not a Persistent attack, then clearing the cache/temps and browser and reopening might do. if not do that but also restart computer. Ultimately do clear cache but switch browser/app if possible for what is intended. Last but not least, if none of that work give your computer and network a thorough check up, might be actually infected. Of course, you could also just report the issue from beginning but might have to wait. I did the steps I stated here and it work for me without need of escalation. |
Seems like v1.4.1 introduced an issue with CSRF:
http://stackoverflow.com/questions/11548539/rails-3-2-facebook-auth-csrf-failure
http://stackoverflow.com/questions/11597130/omniauth-facebook-keeps-reporting-invalid-credentials
The text was updated successfully, but these errors were encountered: