After updating to v. 1,4 I get the error: invalid_credentials #75

sennor opened this Issue Jul 30, 2012 · 20 comments


None yet

After updating to v. 1,4 I get the error: invalid_credentials

Everything works with v. 1.3..

What have changed since I get the error invalid_credentials?


I can confirm that there's an issue with authentication when using the Javascript SDK. It works fine with 1.3, but under 1.4 it's showing the following in the logs:

omniauth: (facebook) Callback phase initiated.
omniauth: (facebook) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError

This is the first time I've used omniauth-facebook, so when this didn't work, I assumed there was some issue on my end, but just downgrading to 1.3 fixed the issue for me.

Here's the client-side login call I'm using:

  function(response) { if (response.authResponse) location.href = '/auth/facebook/callback'; },
  { scope: 'email' }

I spent some time looking into the underlying libraries, and found that request.params was {} inside OmniAuth::Strategies::OAuth2#callback_phase. I wasn't able to determine why that was the case.


I have the very same problem.


same issue here


+1 same issue with v1.4.1 and rails 3.2.9


Got same problem with 1.4.0:

(facebook) Callback phase initiated.
(facebook) Callback phase initiated.
(facebook) Authentication failure! invalid_credentials: OAuth2::Error, :
{"error":{"message":"This authorization code has been used.","type":"OAuthException","code":100}}


This is due to the CSRF protection that was introduced in omniauth-oauth2 1.1.0, as part of the OAuth2 spec. See intridea/omniauth-oauth2#20

I see two possible solutions:

  • Pass the state param along when you're hitting the callback URL via your client
  • Disable CSRF protection by setting provider_ignores_state: true in your OmniAuth configuration for the Facebook provider
  1. Ensured that the FB credentials are initialized only once
  2. Downgraded to omniauth-facebook v1.4.0, that relies on pre-1.1+ omniauth-oauth2 (1.0.3)

Same issue:

Could not authenticate you from Facebook because "Csrf detected".

It happens on heroku, yet I cannot reproduce on dev.


I have been wrestling with this issue for a few weeks, trying to narrow down the issue. Specifically, I had a production machine running fine, but other machines, which had newer code, would fail with an error resembling this...

Started GET "/auth/facebook/callback?state=6p8KdhTDTUc3dm99m58nM2ZFkJu&code=AQA4QwOgJaexMD9yZubhVoBHyMjFGejf4vt3qxSOzVQdZc9NtTsAzMu54TD18lWT3R_73BjOyKTceQmoplYPrWXYrm8mQEtzVX4-BEue_3A2ZgTo6-_mRJzIycLeLZI-47QDfYpb1CJBy8NPARwbz6MpNfdiIElRD9udqZDbKhugMHQRUZeyWl19RiEWhxvUDtq1nYSF3gnLg4uUkWE4xylO" for at 2013-01-03 13:09:09 -0500
(facebook) Callback phase initiated.
(facebook) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError
Processing by SessionsController#failure as HTML
  Parameters: {"state"=>"6p8KdhTDTUc3dm99m58nM2ZFkJu", "code"=>"AQA4QwOgJaexMD9yZubhVoBHyMjFGejf4vt3qxSOzVQdZc9NtTsAzMu54TD18lWT3R_73BjOyKTceQmoplYPrWXYrm8mQEtzVX4-BEue_3A2ZgTo6-_mRJzIycLeLZI-47QDfYpb1CJBy8NPARwbz6MpNfdiIElRD9udqZDbKhugMHQRUZeyWl19RiEWhxvUDtq1nYSF3gnLg4uUkWE4xylO"}
Redirected to 
Completed 500 Internal Server Error in 1ms

ActionController::ActionControllerError (Cannot redirect to nil!):
  app/controllers/sessions_controller.rb:30:in `block (2 levels) in failure'
  app/controllers/sessions_controller.rb:25:in `failure'

Ultimately, reverting to Rails 3.2.8 from 3.2.9 solved the issue. omniauth_facebook was fine at v1.4.1. Here is the relevant section of gem list.

omniauth (1.1.1)
omniauth-facebook (1.4.1)
omniauth-google-oauth2 (0.1.13)
omniauth-identity (1.1.0)
omniauth-linkedin (0.0.8)
omniauth-oauth (1.0.1)
omniauth-oauth2 (1.1.1)
omniauth-twitter (0.0.14)

I have not looked around yet to see why 3.2.9 affects the results.


Any clues why 3.2.8 would work but 3.2.9 does not?


I tried with omniauth-facebook 1.4.0 and provider_ignores_state: true, as suggested by @nevir but still not working :(


I get the same error on rails 3.2.8 with omniauth-google-oauth2 (0.1.13)
"Could not authenticate you from Google oauth2 because "Csrf detected"."
(google_oauth2) Callback phase initiated.
(google_oauth2) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError


can confirm that this issue occurs with the example app in current master 9ae9f28 and can confirm that FB.login is returning a response with valid tokens.

FB.login(function (response) { console.log(response); } );
» Object {authResponse: Object, status: "connected"}
  » authResponse: Object
    accessToken: "AAAF8v9vZB1RYBAIS4Wy9PPRkSNZCXr7Eof0OLJkBWQ9hAXdYEdazmYmlIRCizZCwg78ZCs6OizINRonmphs7LzjTnRJLitj0DiMO3vToNAZDZD"
    expiresIn: 5166
    signedRequest: "mtpuAbElOdI2hEqM5xjdErLA797lNe-7J8sQZhKYoFk.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUURwM08xY0w4NmpoWTBNd0hEQUdEQlJEcWliOE5naXVydlN0bjdrd29Ka1ptYXo0MTR6M2FFakNzeVpvVkpoMWhDYms3dUdLNnVObGJiSDRTMVZNUHpHeDJvampTUHZETENLaDZCMEo3Q0lYQXVwVlgwV1NfUGl4aV9CalVpV0g2Z1Nuell5TUxObWthLXpscmdnT05ZVUdUQldzX2NNTWc2clM3eXRzaUNmbndQdkd1R0MyQS0yb3dlYTB0Q3E0ck55ZXJvT2dBZzBPdHctVUQwTlktR3EiLCJpc3N1ZWRfYXQiOjEzNjAwMTAwMzQsInVzZXJfaWQiOiIxMjE1MDE2NjgifQ"
    userID: "121501668"
  status: "connected"

Can also confirm that no cookies are being set until a graph call is made in js. For example

FB.api('/me', function(response) {
  alert('Your name is ' +;

Appears to set lu fr datr csm locale xs s and c_user of which the last 3 are secure.
Does not appear to set any cookies beginning with the prefix fbsr_ which this gem is looking for.

Suggestion by @nevir to explicitly pass data to the callback seems sensible to me.


@wensowski Do you mean the state variable?


@martinstreicher no idea how the ruby plumbing works yet; just checked out this lib today. From what I'm seeing the fb api isn't behaving as expected: it's not setting cookies with the expected prefix. I'm seeing this error due to that problem.

Ideally there would be something more graceful than manually combining response.authResponse and info_response in js and pushing that (get/post vars) at the callback and parsing that instead of the cookie. If there isn't anything better all the info is in these two vars.

FB.login(function (response) { console.log(response.authResponse); } );
FB.api('/me', function(info_response) {
pch commented Feb 5, 2013

To everyone having this issue with omniauth-google-oauth2: in my case, it was a problem with redirect_uri. The state param is probably a checksum of the originating url, so if redirect_uri doesn't match, you'll get invalid_credentials.

If you're using pow, you might need to add a valid TLD to POW_DOMAINS (e.g. .xxx), since Google oauth doesn't permit .dev domains.


It worked fine until a couple days ago but today I am running into

Could these issues be related?


Turned out I was running into a facebook issue that got resolved last night


why is this still open 👎



@sennor sennor closed this Apr 21, 2013

Why is this closed as it is still happening or maybe update the README to specify how to fix this?

i ran into the same problem on dev mode today and the only way to fix it was using @nevir method of setting provider_ignores_state: true inside the devise omniauth config file

@davidtingsu davidtingsu added a commit to davidtingsu/calcentral that referenced this issue Nov 11, 2013
@davidtingsu davidtingsu working facebook auth hack
store facebook user data as part of UserData after login
hardcoded application id and secret

resources: mkdynamic/omniauth-facebook#75
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment