google_oauth2 Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

[gdurelle]

Even when creating the state myself it got the same error.

session['omniauth.state'] =  SecureRandom.hex(24)
redirect_to "/auth/google_oauth2?state=#{session['omniauth.state']}"

Even though the returned state is the same, meaning it should match !

Isn't there a double redirect or something ?
Because if so the :

request.params['state'] != session.delete('omniauth.state')

in https://github.com/intridea/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L72 would explain the problem.
=> First passes, second fail.

https://stackoverflow.com/questions/22386149/why-am-i-getting-csrf-detected-with-omniauth-and-google/23739564#23739564

[guilhermesimoes]

OmniAuth already creates the state for you, why are you trying to override it?

Also, when you run bundle show, what is the version of the omniauth-oauth2 gem?

[gdurelle]

I don't. it was to be sure the state token was the same (through loggers).

bundle show omniauth-oauth2
/usr/local/var/rbenv/versions/2.1.1/lib/ruby/gems/2.1.0/gems/omniauth-oauth2-1.1.2

[guilhermesimoes]

This should be working out of the box.

In what specific omniauth gem is this happening? How are you configuring it?

[gdurelle]

Just omniauth with google_oatuh2 provider.

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :google_oauth2, Settings.google_oauth2.app_id, Settings.google_oauth2.app_secret, {
    prompt: 'select_account',
    image_aspect_ratio: 'square',
    image_size: 200
  }
end

[guilhermesimoes]

I think you made a copy paste mistake, Flm.config( should throw some kind of syntax error.

Either way, make sure that Settings.google_oauth2.app_id and Settings.google_oauth2.app_secret are working. Double check those tokens.

[gdurelle]

lol yeah. fixed ;)

Well everything works fine when I use the ugly

provider_ignores_state: true

option.
Thus I'm sure my credentials are ok.

For the record I also use other options, but quite sure it has nothing to do with the present problem :

    prompt: 'select_account consent',
    access_type: 'offline',
    scope: 'userinfo.profile,userinfo.email,youtube'

[guilhermesimoes]

Yeah, this issue shouldn't have anything to do with your configuration. However, given OmniAuth's history of catching client errors and throwing random errors, I wouldn't dismiss this just yet.

When you run bundle show, what is the version of the omniauth-google-oauth2 gem? Try changing the scopes userinfo.profile and userinfo.email just to profile and email. They were recently deprecated.

[gdurelle]

/usr/local/var/rbenv/versions/2.1.1/lib/ruby/gems/2.1.0/gems/omniauth-google-oauth2-0.2.3
scopes changed. same error.

Started GET "/auth/google_oauth2/callback?state=e044e048e1058afa01ec0b77f01f16507dcd23f850a5e18d&code=4/XDJgOYYMDkZmKH4074eZSTFHUSbI.kgC2pBqj6B0ZYKs_1NgQtmW_GcM7jAI" for 127.0.0.1 at 2014-05-21 10:22:19 +0200
(google_oauth2) Callback phase initiated.
(google_oauth2) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

[jdenquin]

After some tests, its appear that session['omniauth.state'] is nil during the callback phase!
Why session doesn't keep it?

[vincent-pochet]

This problem occurs with rails when the domain defined in /config/initializer/session_store.rb is different from the origin/redirect_uri defined in the google api console.

MyApp::Application.config.session_store :cookie_store, key: '_app_session', domain: 'my_app.com'

Removing the domain params or using the same domain on both sides (plus activating contacts and google+ APIs in console...) fixed the problem for me.

I think we can close this issue! 😸

[iamasecuritytester]

I had this exact same problem and adding domain: 'localhost' in session_store.rb fixed it for me. Thanks everyone!

[NickTomlin]

I'm running into this in a Sinatra app using omniauth-google-oauth2. I've added the redirect url through the control panel api, but to no avail. They only way around it at the moment is provider_ignores_state but that feels wrong.