Rails + omniauth + facebook - csrf detected

Question

I'm working on logging in a site via existing facebook account. So I registered a facebook application and stored api and secret in development.rb and production.rb files. Then I used omniauth-facebook gem + devise gem to implement this. It works perfect.

By the way, an user can login either by internal authentication (by devise) or by usig facebook account.

However there is a weird issue. It works perfect only if I login into facebook account in that I registered an application.

So I registered another facebook account that didn't have an application used in my Rails application and tried to login. It caused an error "An error occurred. Please try again later." ... "Could not authenticate you from Facebook-Account because "Csrf detected""

I tried to use 1.4.0 omniauth-facebook gem instead of 1.4.1 one but it also caused an error "must pass either acodeparameter or a signed request (viasigned_requestparameter or afbsr_XXXcookie)"

Gems

oauth2 (0.8.0) 
omniauth (1.1.0) 
omniauth-oauth2 (1.1.0) 
omniauth-facebook (1.4.1) 
warden (1.2.1)
devise (2.1.2)

Your ideas?

Answer 1

I had this issue as well, turns out I still had "sandbox" mode enabled in my Facebook application. Sounds like this may be your issue as well :)

If not, could you please post any related log entries?

Answer 2

For me, I needed to add provider_ignores_state: true to my Omniauth config:

config.omniauth :facebook, ENV['FACEBOOK_APP_ID'], ENV['FACEBOOK_APP_SECRET'], {
  strategy_class: OmniAuth::Strategies::Facebook,
  provider_ignores_state: true
}

This is on omniauth-facebook gem version 1.6.0.

There is more info also at https://github.com/mkdynamic/omniauth-facebook/issues/73