Callback denied with OmniAuth

Question

When I initiate the logging in process using OmniAuth in a Rails 3 app, if I cancel on the provider's page, I get sent back to an URL that looks something like:

http://example.com/auth/twitter/callback?denied=aUho....

and my application throws a 500, that I can see it's a OAuth::Unauthorized: 401 Unauthorized, without ever touching any of my controller actions.

The stack trace is when I reproduce it in my computer is:

oauth (0.4.6) lib/oauth/consumer.rb:216:in `token_request'
oauth (0.4.6) lib/oauth/consumer.rb:136:in `get_request_token'
omniauth-oauth (1.0.1) lib/omniauth/strategies/oauth.rb:29:in `request_phase'
omniauth-twitter (0.0.11) lib/omniauth/strategies/twitter.rb:50:in `request_phase'
omniauth (1.1.0) lib/omniauth/strategy.rb:207:in `request_call'
omniauth (1.1.0) lib/omniauth/strategy.rb:174:in `call!'
omniauth (1.1.0) lib/omniauth/strategy.rb:157:in `call'
omniauth (1.1.0) lib/omniauth/strategy.rb:177:in `call!'
omniauth (1.1.0) lib/omniauth/strategy.rb:157:in `call'
omniauth (1.1.0) lib/omniauth/builder.rb:48:in `call'
sass (3.1.19) lib/sass/plugin/rack.rb:54:in `call'
warden (1.1.1) lib/warden/manager.rb:35:in `block in call'
warden (1.1.1) lib/warden/manager.rb:34:in `catch'
warden (1.1.1) lib/warden/manager.rb:34:in `call'
actionpack (3.2.6) lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
rack (1.4.1) lib/rack/etag.rb:23:in `call'
rack (1.4.1) lib/rack/conditionalget.rb:25:in `call'
actionpack (3.2.6) lib/action_dispatch/middleware/head.rb:14:in `call'
actionpack (3.2.6) lib/action_dispatch/middleware/params_parser.rb:21:in `call'
actionpack (3.2.6) lib/action_dispatch/middleware/flash.rb:242:in `call'
rack (1.4.1) lib/rack/session/abstract/id.rb:205:in `context'
rack (1.4.1) lib/rack/session/abstract/id.rb:200:in `call'
actionpack (3.2.6) lib/action_dispatch/middleware/cookies.rb:338:in `call'
activerecord (3.2.6) lib/active_record/query_cache.rb:64:in `call'
activerecord (3.2.6) lib/active_record/connection_adapters/abstract/connection_pool.rb:473:in `call'
actionpack (3.2.6) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
activesupport (3.2.6) lib/active_support/callbacks.rb:405:in `_run__60653626266012267__call__4496837804684830799__callbacks'
activesupport (3.2.6) lib/active_support/callbacks.rb:405:in `__run_callback'
activesupport (3.2.6) lib/active_support/callbacks.rb:385:in `_run_call_callbacks'
activesupport (3.2.6) lib/active_support/callbacks.rb:81:in `run_callbacks'
actionpack (3.2.6) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
actionpack (3.2.6) lib/action_dispatch/middleware/reloader.rb:65:in `call'
actionpack (3.2.6) lib/action_dispatch/middleware/remote_ip.rb:31:in `call'
actionpack (3.2.6) lib/action_dispatch/middleware/debug_exceptions.rb:16:in `call'
actionpack (3.2.6) lib/action_dispatch/middleware/show_exceptions.rb:56:in `call'
railties (3.2.6) lib/rails/rack/logger.rb:26:in `call_app'
railties (3.2.6) lib/rails/rack/logger.rb:16:in `call'
quiet_assets (1.0.1) lib/quiet_assets.rb:20:in `call_with_quiet_assets'
actionpack (3.2.6) lib/action_dispatch/middleware/request_id.rb:22:in `call'
rack (1.4.1) lib/rack/methodoverride.rb:21:in `call'
rack (1.4.1) lib/rack/runtime.rb:17:in `call'
activesupport (3.2.6) lib/active_support/cache/strategy/local_cache.rb:72:in `call'
rack (1.4.1) lib/rack/lock.rb:15:in `call'
actionpack (3.2.6) lib/action_dispatch/middleware/static.rb:62:in `call'
airbrake (3.1.1) lib/airbrake/rack.rb:30:in `call'
airbrake (3.1.1) lib/airbrake/user_informer.rb:12:in `call'
railties (3.2.6) lib/rails/engine.rb:479:in `call'
railties (3.2.6) lib/rails/application.rb:220:in `call'
rack (1.4.1) lib/rack/content_length.rb:14:in `call'
railties (3.2.6) lib/rails/rack/log_tailer.rb:17:in `call'
thin (1.3.1) lib/thin/connection.rb:80:in `block in pre_process'
thin (1.3.1) lib/thin/connection.rb:78:in `catch'
thin (1.3.1) lib/thin/connection.rb:78:in `pre_process'
thin (1.3.1) lib/thin/connection.rb:53:in `process'
thin (1.3.1) lib/thin/connection.rb:38:in `receive_data'
eventmachine (0.12.10) lib/eventmachine.rb:256:in `run_machine'
eventmachine (0.12.10) lib/eventmachine.rb:256:in `run'
thin (1.3.1) lib/thin/backends/base.rb:61:in `start'
thin (1.3.1) lib/thin/server.rb:159:in `start'
rack (1.4.1) lib/rack/handler/thin.rb:13:in `run'
rack (1.4.1) lib/rack/server.rb:265:in `start'
railties (3.2.6) lib/rails/commands/server.rb:70:in `start'
railties (3.2.6) lib/rails/commands.rb:55:in `block in <top (required)>'
railties (3.2.6) lib/rails/commands.rb:50:in `tap'
railties (3.2.6) lib/rails/commands.rb:50:in `<top (required)>'
script/rails:6:in `require'
script/rails:6:in `<top (required)>'
-e:1:in `load'
-e:1:in `<main>'

If I go on with log in (without clicking cancel at Twitter's page), then everything works correctly as expected. Same for Facebook, I can log in just fine, but if I press 'cancel' at Facebook's page, I get redirected back and I throw a 500.

Is there a way to handle this better? I'd like to be able to show a nice page.

Answer 1

When there's a failure, most of the times depending on the type of failure, OmniAuth will call OmniAuth.config.on_failure which by default is set to OmniAuth::FailureEndpoint. By default it is supposed to raise an exception in development mode and redirect otherwise:

def call
  raise_out! if ENV['RACK_ENV'].to_s == 'development'
  redirect_to_failure
end

The default endpoint, according to the docs, is /auth/failure.

If that is not working as expected for you, then you can force the redirection to always happen, even on dev mode, by adding this to your initializer:

class SafeFailureEndpoint < OmniAuth::FailureEndpoint
  def call
    redirect_to_failure
  end
end

OmniAuth.config.on_failure = SafeFailureEndpoint

A more concise solution from https://github.com/intridea/omniauth/issues/616

# Added to config/initializers/omniauth.rb
OmniAuth.config.on_failure = Proc.new { |env|
  OmniAuth::FailureEndpoint.new(env).redirect_to_failure
}

Answer 2

I had same issue, (facebook cancel clicked)

after adding

# Added to config/initializers/omniauth.rb
OmniAuth.config.on_failure = Proc.new { |env|
  OmniAuth::FailureEndpoint.new(env).redirect_to_failure
}

implemented auth callback route as

in config/routes.rb

match '/auth/failure' => 'sessions#failure' 

session controller will look like

class SessionsController < ApplicationController
  def failure
    redirect_to #route that you want redirect
  end
end

Answer 3

I had the same issue, and with Pramod's solution I was getting an "Unknown action" error, but worked after I changed the callback route to

config/routes.rb

devise_scope :user do
  get '/users/auth/failure' => 'sessions#failure'
end   

Rails 3.2.14
Devise 3.1.1
Omniauth 1.1.4