OmniAuth - current session not loaded on OpenID callback

Question

I'm using OmniAuth with Rails 3.1.4 and I'm trying to allow already authenticated users to associate multiple OpenID providers with their account.

As an unauthenticated user, signing in with OpenID works fine. As an authenticated user, when I try to sign in with a different oid provider, when the callback method is executed, it just looks like I wasn't previously authenticated.

To me it just looks like the controller gets executed before sessions are initialised (or sessions are completely skipped).

What could it be?

Answer 1

Confirming Andrei Serdeliuc's solution, disabling protect_from_forgery worked for me (Ruby 1.8.7, Rails 2.3.11, OmniAuth 0.1.6)

in your CallbackController (AuthenticationsController in the famous screencast) adding skip_before_filter :verify_authenticity_token or protect_from_forgery :except => :create at the top of the controller work !

As it could be a way for CSRF (Cross-Site Request Forgery) you should verify the identity of the openid server, don't forget to setup the certificate verification (in the initializer):

# First of all get a ca-bundle.crt file (eg : from your open-source browser package)
require "openid/fetchers"
OpenID.fetcher.ca_file = "#{Rails.root}/config/ca-bundle.crt""

it will prevent warnings like :

WARNING: making https request to https://www.google.com/accounts/o8/id 
without verifying server certificate; no CA path was specified.

Now my sessions are not reseted anymore, and can add several openid authentication to my curren_user.

cheers

Answer 2

Keep in mind that OmniAuth has no concept of "signing in." It simply verifies that the user was authenticated at the third-party app and gives you the information you need to implement your own sign-in system (or integrate with an existing one). (There are excellent screencasts on this topic; see part 1 and part 2 on Railscasts, for example.)

That being said, the following assumes you haven't fallen into that common trap and really are having problems accessing session data in your callback. Some basic testing on my part shows that sessions work as expected in the OmniAuth callback. See the following code at https://github.com/BinaryMuse/so_5049994/compare/master...experiment:

class AuthController < ApplicationController
  def callback
    session[:count] ||= 0
    session[:count] += 1

    @count = session[:count]
    @env   = env['omniauth.auth']
  end
end

After authenticating via various services I have applications for (Facebook and Twitter among them), I receive output similar to the following (see the view file):

OmniAuth Callback

Number of times viewed (session): 5

OmniAuth Hash:

  {"provider"=>"facebook", "uid"=>"1017... (rest of omniauth hash here)