Reputation: 5878
OmniAuth - current session not loaded on OpenID callback
I'm using OmniAuth with Rails 3.1.4 and I'm trying to allow already authenticated users to associate multiple OpenID providers with their account.
As an unauthenticated user, signing in with OpenID works fine. As an authenticated user, when I try to sign in with a different oid provider, when the callback method is executed, it just looks like I wasn't previously authenticated.
To me it just looks like the controller gets executed before sessions are initialised (or sessions are completely skipped).
What could it be?
Upvotes: 8
Views: 3107
Answers (3)
Reputation: 16821
As for me I have to implement an app with Intuit, and ran in to the same problem. What fixed it for me isn't the removal of protect forgery or skipping the authenticity_token check but making sure the page where I submit the authorization form locally has the same host as the redirect URL. I had 127.0.0.1:3000 but the redirect_url was localhost:3000.
Upvotes: 0
Reputation: 1384
Confirming Andrei Serdeliuc's solution, disabling protect_from_forgery worked for me (Ruby 1.8.7, Rails 2.3.11, OmniAuth 0.1.6)
in your CallbackController (AuthenticationsController in the famous screencast)
adding skip_before_filter :verify_authenticity_token or protect_from_forgery :except => :create at the top of the controller work !
As it could be a way for CSRF (Cross-Site Request Forgery) you should verify the identity of the openid server, don't forget to setup the certificate verification (in the initializer):
# First of all get a ca-bundle.crt file (eg : from your open-source browser package)
require "openid/fetchers"
OpenID.fetcher.ca_file = "#{Rails.root}/config/ca-bundle.crt""
it will prevent warnings like :
WARNING: making https request to https://www.google.com/accounts/o8/id without verifying server certificate; no CA path was specified.
Now my sessions are not reseted anymore, and can add several openid authentication to my curren_user.
cheers
Upvotes: 13
Reputation: 159135
Keep in mind that OmniAuth has no concept of "signing in." It simply verifies that the user was authenticated at the third-party app and gives you the information you need to implement your own sign-in system (or integrate with an existing one). (There are excellent screencasts on this topic; see part 1 and part 2 on Railscasts, for example.)
That being said, the following assumes you haven't fallen into that common trap and really are having problems accessing session data in your callback. Some basic testing on my part shows that sessions work as expected in the OmniAuth callback. See the following code at https://github.com/BinaryMuse/so_5049994/compare/master...experiment:
class AuthController < ApplicationController
def callback
session[:count] ||= 0
session[:count] += 1
@count = session[:count]
@env = env['omniauth.auth']
end
end
After authenticating via various services I have applications for (Facebook and Twitter among them), I receive output similar to the following (see the view file):
OmniAuth Callback
Number of times viewed (session): 5
OmniAuth Hash:
{"provider"=>"facebook", "uid"=>"1017... (rest of omniauth hash here)
Upvotes: 2
Related Questions
- Omniauth-identity InvalidAuthenticityToken
- Omniauth isn't catching the initial get "/auth/:provider" request
- Callback denied with OmniAuth
- Omniauth returns a 401 unauthorized
- Session Not Persisting Across Redirect With OmniAuth and Rails 4
- Handling OmniAuth::Strategies::OAuth2::CallbackError in OmniAuth
- Omniauth Session NoMethodError
- Session variable not initialized on callback from OmniAuth OpenID
- Omniauth 404 on callback
- Empty Session after Omniauth Twitter Callback