"CSRF detected" with Omniauth and Google

Question

I'm getting this

OmniAuth::Strategies::OAuth2::CallbackError at /auth/google/callback csrf_detected | CSRF detected

My code:

require 'sinatra'
require "sinatra/json"
require "sinatra/config_file"
require 'omniauth-oauth2'
require 'omniauth-google-oauth2'

use Rack::Logger

config_file "config/app_config.yml"
use Rack::Session::Cookie, secret: '5fb7w345y3489f523y4h'

configure do
  enable :sessions
end

use OmniAuth::Builder do
  provider :google_oauth2, settings.google[:client_id], settings.google[:secret],
    {
      :scope => "userinfo.profile",
      :access_type => "offline",
      :prompt => "select_account consent",
      :name => "google"
    }
end

get '/list' do
  json get_list
end

get '/' do
  %Q|<a href='/auth/google'>Sign in with Google</a>|
end

get '/auth/:name/callback' do
  @auth = request.env['omniauth.auth']
  @auth.inspect
end

My callback is returning both code and state.

Answer 1

This problem occurs with rails when the domain defined in /config/initializer/session_store.rb is different from the origin/redirect_uri defined in the google api console.

MyApp::Application.config.session_store :cookie_store, key: '_app_session', domain: 'my_app.com'

Removing the domain params or using the same domain on both sides fixed the problem.

Answer 2

Got the same problem

(google_oauth2) Callback phase initiated.
(google_oauth2) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

Last Omniauth-oauth2 update introduced the "state" param has a mandatory field.

Some people suggest using provider_ignores_state: true but it's a bad idea because it introduces csrf flaw

Guess we'll have to downgrade to previous version to keep google_oauth2 working.

Issue it on https://github.com/intridea/omniauth-oauth2/issues/58