omniauth google-oauth2 with devise - invalid_credentials and "Csrf detected"

Question

Dear Fine People of SO:

I am developing a Ruby app on Rails 3.2.12 (and I am still new to it).

I am trying to get Devise working with Omniauth... the first strategy I am trying is Google_oauth2.

I have it working to the point where Google has redirected back into my localhost:3000 instance after selecting the credentials I want to use in Google.

Upon this redirection back into localhost, I see a flash notice:

Could not authenticate you from GoogleOauth2 because "Csrf detected".

The server logs contain this:

Started GET "/users/auth/google_oauth2" for 127.0.0.1 at 2013-03-21 08:57:01 -0400
(google_oauth2) Callback phase initiated.
(google_oauth2) Callback phase initiated.
(google_oauth2) Authentication failure! invalid_credentials: OmniAuth::Strategie
s::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError


Started GET "/users/auth/google_oauth2/callback?state=7849a3762d07e7f89e69b4aa46
7efc7b7b2c21655193396b&code=4/v-dSBwAvQUUZL87iNV_yk_Z8s_x0.cnqsdbDX4gUYaDn_6y0ZQ
NgQ9hAaewI" for 127.0.0.1 at 2013-03-21 08:57:40 -0400
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"state"=>"7849a3762d07e7f89e69b4aa467efc7b7b2c21655193396b", "cod
e"=>"4/v-dSBwAvQUUZL87iNV_yk_Z8s_x0.cnqsdbDX4gUYaDn_6y0ZQNgQ9hAaewI"}
Redirected to http://localhost:3000/users/sign_in
Completed 302 Found in 0ms (ActiveRecord: 0.0ms)

I noticed that I get exactly the same result if I simply put the callback URL into the browser directly, without any parameters supplied.

http://localhost:3000/users/auth/google_oauth2/callback

What can I try? What other info can I provide?

Answer 1

Answering my own post.... I'm past this. I'm not entirely sure why, but I have some clues that might be worth passing on.

There are a bunch of other similar issues reported related to the omniauth-facebook strategy. They did not seem to apply to google, so I didn't look too deep. Then I tried to configure the FB strategy, and got the same problem. The FB solution was to revert the omniauth-facebook gem back to 1.4.0.

gem 'omniauth-facebook', '1.4.0'

This also automatically reverted the omniauth-oauth2 gem (I've not wrapped my head around the gem thing yet). When I tried the google link again, it did not throw the same Csrf detected message... Hmmm... reverting the FB gem fixed google ---- Need a disclaimer here, other things might have been the problem here, but I think I have it correct.

There is another problem worth mentioning. The log i provided above showed 2 repeated log messages....

(google_oauth2) Callback phase initiated.
(google_oauth2) Callback phase initiated.

This reveals another (maybe related) problem. It means that the callback was executed twice. Once I got past the CSRF issue, i started getting the invalid_credentials problem all by itself. The reason for the error is the duplicate callback call. Apparently, Oauth2 only allows a single use of the credential. The second use is invalid.

I used railscast #235 as my guide: http://railscasts.com/episodes/235-devise-and-omniauth-revised?autoplay=true

It had me add "provider" calls in the omniauth.rb initializer. and config.omniauth calls in the devise.rb initializer. I guess these somehow result in duplicate callbacks?!?!?

Removing the entry from omniauth.rb got me past that one.

So there you have it. My second SO question, and my second question where I'm the only responder. Not sure if its because they were dumb or hard... I hope the latter.

Answer 2

I had the same problem. In my case I have initialized google-oauth credentials in both devise.rb and also in omniauth.rb; because of this the callback was happening twice. After removing google-oauth credentials from devise.rb, this CSRF token problem got solved.

Answer 3

Just stumbled onto this issue, but your fix didn't work for me. I am using the following gem versions;

oauth2 (0.8.1)
omniauth (1.1.4)
omniauth-oauth2 (1.1.1)
omniauth-facebook (1.4.1)
omniauth-google-oauth2 (0.2.1)

What did fix my problem was adjusting my omniauth.rb initialiser to the following;

OmniAuth.config.full_host = "http://localhost:3000"

Rails.application.config.middleware.use OmniAuth::Builder do
    provider :facebook, KEY, SECRET,
    provider :google_oauth2, KEY, SECRET, :scope => "userinfo.email,userinfo.profile"
end

The key part was to add the 'scope' parameter for google_oauth2, without which I was getting auth failures.

I based my install of this blog: http://sreeharikmarar.blogspot.com.au/2013/01/omniauth-devise-authentication-using.html

A related post: OmniAuth using google oauth 2 strategy scope failure