Skip to content
This repository

After updating to v. 1,4 I get the error: invalid_credentials #75

Closed
sennor opened this Issue July 30, 2012 · 20 comments
sennor
sennor commented July 30, 2012

After updating to v. 1,4 I get the error: invalid_credentials

Everything works with v. 1.3..

What have changed since I get the error invalid_credentials?

Tyler Hunt

I can confirm that there's an issue with authentication when using the Javascript SDK. It works fine with 1.3, but under 1.4 it's showing the following in the logs:

omniauth: (facebook) Callback phase initiated.
omniauth: (facebook) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError

This is the first time I've used omniauth-facebook, so when this didn't work, I assumed there was some issue on my end, but just downgrading to 1.3 fixed the issue for me.

Here's the client-side login call I'm using:

FB.login(
  function(response) { if (response.authResponse) location.href = '/auth/facebook/callback'; },
  { scope: 'email' }
);

I spent some time looking into the underlying libraries, and found that request.params was {} inside OmniAuth::Strategies::OAuth2#callback_phase. I wasn't able to determine why that was the case.

Stefano Verna

I have the very same problem.

bluegod

same issue here

Felipe Lima

+1 same issue with v1.4.1 and rails 3.2.9

Felipe Lima

Got same problem with 1.4.0:


(facebook) Callback phase initiated.
(facebook) Callback phase initiated.
(facebook) Authentication failure! invalid_credentials: OAuth2::Error, :
{"error":{"message":"This authorization code has been used.","type":"OAuthException","code":100}}

Ian MacLeod

This is due to the CSRF protection that was introduced in omniauth-oauth2 1.1.0, as part of the OAuth2 spec. See intridea/omniauth-oauth2#20

I see two possible solutions:

  • Pass the state param along when you're hitting the callback URL via your client
  • Disable CSRF protection by setting provider_ignores_state: true in your OmniAuth configuration for the Facebook provider
Marius Butuc
  1. Ensured that the FB credentials are initialized only once
  2. Downgraded to omniauth-facebook v1.4.0, that relies on pre-1.1+ omniauth-oauth2 (1.0.3)

Same issue:

Could not authenticate you from Facebook because "Csrf detected".

It happens on heroku, yet I cannot reproduce on dev.

Martin Streicher

I have been wrestling with this issue for a few weeks, trying to narrow down the issue. Specifically, I had a production machine running fine, but other machines, which had newer code, would fail with an error resembling this...

Started GET "/auth/facebook/callback?state=6p8KdhTDTUc3dm99m58nM2ZFkJu&code=AQA4QwOgJaexMD9yZubhVoBHyMjFGejf4vt3qxSOzVQdZc9NtTsAzMu54TD18lWT3R_73BjOyKTceQmoplYPrWXYrm8mQEtzVX4-BEue_3A2ZgTo6-_mRJzIycLeLZI-47QDfYpb1CJBy8NPARwbz6MpNfdiIElRD9udqZDbKhugMHQRUZeyWl19RiEWhxvUDtq1nYSF3gnLg4uUkWE4xylO" for 127.0.0.1 at 2013-01-03 13:09:09 -0500
(facebook) Callback phase initiated.
(facebook) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError
Processing by SessionsController#failure as HTML
  Parameters: {"state"=>"6p8KdhTDTUc3dm99m58nM2ZFkJu", "code"=>"AQA4QwOgJaexMD9yZubhVoBHyMjFGejf4vt3qxSOzVQdZc9NtTsAzMu54TD18lWT3R_73BjOyKTceQmoplYPrWXYrm8mQEtzVX4-BEue_3A2ZgTo6-_mRJzIycLeLZI-47QDfYpb1CJBy8NPARwbz6MpNfdiIElRD9udqZDbKhugMHQRUZeyWl19RiEWhxvUDtq1nYSF3gnLg4uUkWE4xylO"}
Redirected to 
Completed 500 Internal Server Error in 1ms

ActionController::ActionControllerError (Cannot redirect to nil!):
  app/controllers/sessions_controller.rb:30:in `block (2 levels) in failure'
  app/controllers/sessions_controller.rb:25:in `failure'

Ultimately, reverting to Rails 3.2.8 from 3.2.9 solved the issue. omniauth_facebook was fine at v1.4.1. Here is the relevant section of gem list.

omniauth (1.1.1)
omniauth-facebook (1.4.1)
omniauth-google-oauth2 (0.1.13)
omniauth-identity (1.1.0)
omniauth-linkedin (0.0.8)
omniauth-oauth (1.0.1)
omniauth-oauth2 (1.1.1)
omniauth-twitter (0.0.14)

I have not looked around yet to see why 3.2.9 affects the results.

Martin Streicher

Any clues why 3.2.8 would work but 3.2.9 does not?

Felipe Lima

I tried with omniauth-facebook 1.4.0 and provider_ignores_state: true, as suggested by @nevir but still not working :(

dcdieci

I get the same error on rails 3.2.8 with omniauth-google-oauth2 (0.1.13)
"Could not authenticate you from Google oauth2 because "Csrf detected"."
(google_oauth2) Callback phase initiated.
(google_oauth2) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError

Alexander Wenzowski

can confirm that this issue occurs with the example app in current master 9ae9f28 and can confirm that FB.login is returning a response with valid tokens.

FB.login(function (response) { console.log(response); } );
» Object {authResponse: Object, status: "connected"}
  » authResponse: Object
    accessToken: "AAAF8v9vZB1RYBAIS4Wy9PPRkSNZCXr7Eof0OLJkBWQ9hAXdYEdazmYmlIRCizZCwg78ZCs6OizINRonmphs7LzjTnRJLitj0DiMO3vToNAZDZD"
    expiresIn: 5166
    signedRequest: "mtpuAbElOdI2hEqM5xjdErLA797lNe-7J8sQZhKYoFk.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUURwM08xY0w4NmpoWTBNd0hEQUdEQlJEcWliOE5naXVydlN0bjdrd29Ka1ptYXo0MTR6M2FFakNzeVpvVkpoMWhDYms3dUdLNnVObGJiSDRTMVZNUHpHeDJvampTUHZETENLaDZCMEo3Q0lYQXVwVlgwV1NfUGl4aV9CalVpV0g2Z1Nuell5TUxObWthLXpscmdnT05ZVUdUQldzX2NNTWc2clM3eXRzaUNmbndQdkd1R0MyQS0yb3dlYTB0Q3E0ck55ZXJvT2dBZzBPdHctVUQwTlktR3EiLCJpc3N1ZWRfYXQiOjEzNjAwMTAwMzQsInVzZXJfaWQiOiIxMjE1MDE2NjgifQ"
    userID: "121501668"
  status: "connected"

Can also confirm that no cookies are being set until a graph call is made in js. For example

FB.api('/me', function(response) {
  alert('Your name is ' + response.name);
});

Appears to set lu fr datr csm locale xs s and c_user of which the last 3 are secure.
Does not appear to set any cookies beginning with the prefix fbsr_ which this gem is looking for.

Suggestion by @nevir to explicitly pass data to the callback seems sensible to me.

Martin Streicher

@wensowski Do you mean the state variable?

Alexander Wenzowski

@martinstreicher no idea how the ruby plumbing works yet; just checked out this lib today. From what I'm seeing the fb api isn't behaving as expected: it's not setting cookies with the expected prefix. I'm seeing this error due to that problem.

Ideally there would be something more graceful than manually combining response.authResponse and info_response in js and pushing that (get/post vars) at the callback and parsing that instead of the cookie. If there isn't anything better all the info is in these two vars.

FB.login(function (response) { console.log(response.authResponse); } );
FB.api('/me', function(info_response) {
   console.log(info_response);
});
Piotr Chmolowski

To everyone having this issue with omniauth-google-oauth2: in my case, it was a problem with redirect_uri. The state param is probably a checksum of the originating url, so if redirect_uri doesn't match, you'll get invalid_credentials.

If you're using pow, you might need to add a valid TLD to POW_DOMAINS (e.g. .xxx), since Google oauth doesn't permit .dev domains.

Nilesh

It worked fine until a couple days ago but today I am running into https://developers.facebook.com/bugs/207955409343730?browse=search_5111d8fef19103526726758

Could these issues be related?

Nilesh

Turned out I was running into a facebook issue that got resolved last night https://developers.facebook.com/bugs/207955409343730

Ryan Romanchuk

why is this still open :-1:

sennor

Closed

sennor sennor closed this April 21, 2013
Chee Yeo

Why is this closed as it is still happening or maybe update the README to specify how to fix this?

i ran into the same problem on dev mode today and the only way to fix it was using @nevir method of setting provider_ignores_state: true inside the devise omniauth config file

davidtingsu referenced this issue from a commit in davidtingsu/calcentral November 10, 2013
working facebook auth hack
store facebook user data as part of UserData after login
hardcoded application id and secret

resources: mkdynamic/omniauth-facebook#75
http://railscasts.com/episodes/360-facebook-authentication?view=asciicast
0002c41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.