1.4.0 makes my rails app unable to sign in with facebook

[PikachuEXE]

rails 4.1.13
devise 3.5.2
omniauth (1.2.2)
omniauth-facebook (2.0.1)

1.3.1 was fine

Error:

(facebook) Authentication failure! invalid_credentials: OAuth2::Error, :
{"error":{"message":"Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request","type":"OAuthException","code":100,"fbtrace_id":"GjHr4Inn5Rq"}}

[hmnhf]

I'm getting the same error with omniauth-google-oauth2, after upgrading to 1.4.0.

(google_oauth2) Authentication failure! invalid_credentials: OAuth2::Error, redirect_uri_mismatch: 
{
  "error" : "redirect_uri_mismatch"
}

[assembler]

+1 here with google. getting redirect_uri_mismatch as well

[assembler]

I guess it has to do with this commit:

2615267

[itmiguelfernandes]

I'm getting the same problem.
"message":"Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request","type":"OAuthException","code":100,"

[libermans]

Yes it's because of 2615267 by @sferik . The redefinition of callback_url was deleted from OmniAuth::Strategies::OAuth2 while it was used in the strategy to get redirect_uri, which should be the same redirect_uri which we sent to facebook without params (code, etc).

You can use 1.3.1 version of the gem before the bug would be fixed.

[dja]

+1 to 1.3.1 temporarily fixes the issue

[pravsels]

i struggled with this for about a week before downgrading to 1.2!
This should be fixed asap! It was an absolute nightmare!

[crgolden]

Yeah same here!
I got it working again by changing my Gemfile to:
gem 'omniauth-oauth2', '~> 1.3.1'

[PikachuEXE]

What does provider_ignores_state do?
Any doc?

[zmajstor]

unfortunately, google oauth2 doesn't work even with provider_ignores_state: true

[zmajstor]

maybe a simple fix like this would work: #82

[jonathansimmons]

I lost 2 days of work trying to track down why my custom provider was returning an invalid_grant error. This really should have been checked more before being merged.

[sferik]

According to Section 3.1.2 of the OAuth 2 spec:

query component…MUST be retained when adding additional query parameters

I’m sorry implementing this part of the spec has caused some OAuth providers to break. Gems for such providers should specify their omniauth-oauth2 dependency like this (until we can find a better solution):

spec.add_dependency 'omniauth-oauth2', '~> 1.3.1'

[samuraraujo]

I fix using: gem 'omniauth-oauth2', '~> 1.3.1'

[adrazek]

I test the gem 'omniauth-oauth2', '~> 1.3.1' fix, working localy not in production.
Somebody for more infos on that ?

[adrazek]

Ok just figure out some configuration not deleted when trying to fix the problem myself.
So using 1.3.1 version is the good fix.

[jonathansimmons]

@sferik is there not a better solution for this yet? 6 months later and I'm still running into this problem in oAuth Strategies.

How is this acceptable to just ignore?

[cmar]

I was able to fix the issue by restoring the callback_url method to my subclass of OAuth2

module OmniAuth
  module Strategies
    class MyStrategy < OmniAuth::Strategies::OAuth2
        ...

        def callback_url
           full_host + script_name + callback_path
        end

        ...

see breaking change

[urkle]

It seems rediculous that this change occurred for ONE strategy and broke every other single strategy out there.. IMHO it would have made more sense for the one strategy that needed the query parameters to override callback_url in it's own strategy.

[siegy22]

Is this a wontfix?

[tmilewski]

We're not planning on reverting, no. This was implemented a year and a half ago to adhere to the OAuth 2 spec.

I recommend reaching out to the specific gem providers you require for them to make the necessary updates.