Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nonce mismatch Error #76

Closed
hoffdog opened this issue Sep 30, 2021 · 10 comments
Closed

Nonce mismatch Error #76

hoffdog opened this issue Sep 30, 2021 · 10 comments

Comments

@hoffdog
Copy link

hoffdog commented Sep 30, 2021
edited

Any idea what might be causing this error? Everything seems to be "wired" correctly when I login into my web app. But I see this flash message.
Could not authenticate you from Apple because "Nonce mismatch".

One thing I noticed if I change :lax to :none, the error goes away. However, it no longer works in Chrome. Not ideal.
config.action_dispatch.cookies_same_site_protection = :lax

Logs:
ERROR -- omniauth: (apple) Authentication failure! nonce_mismatch: OmniAuth::Strategies::OAuth2::CallbackError, nonce_mismatch | nonce mismatch
@Meat-Chopper
Copy link

Try this https://github.com/discourse/discourse-apple-auth/blob/40ef076fa744d562ce54f3f30921a1b387e042fb/lib/omniauth_apple.rb#L60

@hoffdog
Copy link
Author

hoffdog commented Sep 30, 2021

What causes this error?

@Meat-Chopper
Copy link

Meat-Chopper commented Oct 1, 2021
edited

It reproduces if you store session in cookies.
Chrome browser doesn't send cookies on POST request from the Apple's site, so a new session is created by default.
A workaround is implemented in the link above:
1 Prevented the creation of a new session on a POST request
2 Redirected request to be sent to the same location with the same parameters. Since there is a GET request after the redirect, Chrome includes cookies in the request.

@vasaf
Copy link

vasaf commented Nov 8, 2021

Try this https://github.com/discourse/discourse-apple-auth/blob/40ef076fa744d562ce54f3f30921a1b387e042fb/lib/omniauth_apple.rb#L60

Where should I be implementing this solution? Bit stuck on this one..

@Meat-Chopper
Copy link

Meat-Chopper commented Nov 9, 2021
edited

Just monkeypatch class OmniAuth::Strategies::Apple with the method callback_phase from the link

@Meat-Chopper
Copy link

I'd prefer it to be merged into this gem, but it's up to maintainers.

@vasaf
Copy link

vasaf commented Nov 9, 2021

Just monkeypatch class OmniAuth::Strategies::Apple with the method callback_phase from the link

Thanks! that did the trick

quadule added a commit to wrapbook/omniauth-apple that referenced this issue Mar 18, 2022
@quadule
Add nonce mismatch error workaround from Discourse
fb7fc8e 
Fixes nhosoya#76
@nov
Copy link
Collaborator

nov commented Sep 27, 2022

set SameSite=none instead of redirect.

@nov nov closed this as completed Sep 27, 2022
@hoffdog
Copy link
Author

hoffdog commented Sep 27, 2022

Thank you for all your work!

@jlxq0 jlxq0 mentioned this issue Nov 4, 2022
Closed
@salzig
Copy link

salzig commented May 31, 2023

Instead of opening up the session to potential security risks, we may merge #107 and allow the nonce to be stored in its own encypted cookie?

@dangngoctuan dangngoctuan mentioned this issue Sep 22, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nov @salzig @Meat-Chopper @vasaf @hoffdog