Rails - Linkedin Auth: Not found. Authentication passthru

Question

Hi have an application with Linkedin Authentication that used to work fine. Today I got complains from user saying they see: Not found. Authentication passthru. when clicking on login with Linkedin. it takes them to the page: http://XXXXX/users/auth/linkedin?locale=en

When i check in the logs I get :

Started GET "/users/auth/linkedin?locale=en" for ::1 at 2021-07-12 18:04:13 +0800
Processing by OmniauthCallbacksController#passthru as HTML
  Parameters: {"locale"=>"en"}
  Rendering text template
  Rendered text template (0.0ms)
Completed 404 Not Found in 3ms (Views: 0.9ms | ActiveRecord: 0.3ms)

My controller looks like:

class OmniauthCallbacksController < Devise::OmniauthCallbacksController
  def linkedin

    @user = User.connect_to_linkedin(request.env["omniauth.auth"],current_user)
    if @user.persisted?
      flash[:notice] = I18n.t "devise.omniauth_callbacks.success"
      sign_in_and_redirect @user, :event => :authentication
    else
      session["devise.linkedin_uid"] = request.env["omniauth.auth"].except("extra")
      redirect_to new_user_registration_url
      flash[:notice] = I18n.t "devise.omniauth_callbacks.failure"

    end
  end

I have the following in my model:

devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, :confirmable, :omniauthable, :omniauth_providers => [:linkedin

             user_linkedin_omniauth_authorize GET|POST /users/auth/linkedin(.:format)                                                omniauth_callbacks#passthru
              user_linkedin_omniauth_callback GET|POST /users/auth/linkedin/callback(.:format)                                       omniauth_callbacks#linkedin

When I add the POST method to the link_to, i get the following:

Started POST "/users/auth/linkedin?locale=en" for ::1 at 2021-07-12 21:56:18 +0800
D, [2021-07-12T21:56:18.416654 #65475] DEBUG -- omniauth: (linkedin) Request phase initiated.
W, [2021-07-12T21:56:18.417955 #65475]  WARN -- omniauth: Attack prevented by OmniAuth::AuthenticityTokenProtection
E, [2021-07-12T21:56:18.418089 #65475] ERROR -- omniauth: (linkedin) Authentication failure! authenticity_error: OmniAuth::AuthenticityError, Forbidden
Processing by OmniauthCallbacksController#failure as HTML

And other stuff

Do you see what could be teh reason behind this sudden problem please? I did a Bundle Update few days ago and a lot of errors started showing up.

None of what i saw so far could help.

Answer 1

I got the same errors today. The problem may related to the version of OmniAuth. When you use omniauth > 2.0, you should explicit the version of omniauth-rails_csrf_protection to 1.0

reference: https://github.com/omniauth/omniauth/wiki/Upgrading-to-2.0#rails

Gemfile

gem 'omniauth-linkedin-oauth2', '~> 1.0'
gem 'omniauth-rails_csrf_protection', '~> 1.0'
part of my Gemfile.lock

part of my Gemfile.lock

    oauth2 (2.0.6)
      faraday (>= 0.17.3, < 3.0)
      jwt (>= 1.0, < 3.0)
      multi_xml (~> 0.5)
      rack (>= 1.2, < 3)
      rash_alt (>= 0.4, < 1)
      version_gem (~> 1.1)
    omniauth (2.1.0)
      hashie (>= 3.4.6)
      rack (>= 2.2.3)
      rack-protection
    omniauth-linkedin-oauth2 (1.0.0)
      omniauth-oauth2
    omniauth-oauth2 (1.8.0)
      oauth2 (>= 1.4, < 3)
      omniauth (~> 2.0)
    omniauth-rails_csrf_protection (1.0.1)
      actionpack (>= 4.2)
      omniauth (~> 2.0)

Answer 2

I found this was because of CSRF protection enabled by default in OmniAuth 2 and above, and GET requests no longer supported like the one you are trying.

I was able to fix it with two things:

1. Add omniauth-rails_csrf_protection gem: https://github.com/cookpad/omniauth-rails_csrf_protection

2. Update your config/initializers/omniauth.rb to include:

OmniAuth.config.allowed_request_methods = [:get, :post]

Answer 3

In application.rb whats's your config.load_defaults set to? I've been having issues myself if this is set to 6.1. 6.0 works fine. Its some issue related to cookie SameSite settings (needs to be lax for localhost, and none+secure for live on the web usually - I could be wrong).
And also yes, check you're doing a POST to your sign in endpoint with CSRF checking in place.