current community

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 6 down vote favorite

Dear Fine People of SO:

I'm developing a Ruby app on Rails 3.2.12 (and I'm still new to it).

I'm trying to get Devise working with Omniauth... the first strategy I'm trying is Google_oauth2.

I have it working to the point where Google has redirected back into my localhost:3000 instance after selecting the credentials I want to use in Google.

Upon this redirection back into localhost, I see a flash notice:

Could not authenticate you from GoogleOauth2 because "Csrf detected".

The server logs contain this:

Started GET "/users/auth/google_oauth2" for 127.0.0.1 at 2013-03-21 08:57:01 -0400
(google_oauth2) Callback phase initiated.
(google_oauth2) Callback phase initiated.
(google_oauth2) Authentication failure! invalid_credentials: OmniAuth::Strategie
s::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError


Started GET "/users/auth/google_oauth2/callback?state=7849a3762d07e7f89e69b4aa46
7efc7b7b2c21655193396b&code=4/v-dSBwAvQUUZL87iNV_yk_Z8s_x0.cnqsdbDX4gUYaDn_6y0ZQ
NgQ9hAaewI" for 127.0.0.1 at 2013-03-21 08:57:40 -0400
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"state"=>"7849a3762d07e7f89e69b4aa467efc7b7b2c21655193396b", "cod
e"=>"4/v-dSBwAvQUUZL87iNV_yk_Z8s_x0.cnqsdbDX4gUYaDn_6y0ZQNgQ9hAaewI"}
Redirected to http://localhost:3000/users/sign_in
Completed 302 Found in 0ms (ActiveRecord: 0.0ms)

I noticed that I get exactly the same result if I simply put the callback URL into the browser directly, without any parameters supplied.

http://localhost:3000/users/auth/google_oauth2/callback

What can I try? What other info can I provide? Help me help you help me ;)

share|improve this question
add comment

2 Answers

up vote 6 down vote accepted

Answering my own post.... I'm past this. I'm not entirely sure why, but I have some clues that might be worth passing on.

There are a bunch of other similar issues reported related to the omniauth-facebook strategy. They did not seem to apply to google, so I didn't look too deep. Then I tried to configure the FB strategy, and got the same problem. The FB solution was to revert the omniauth-facebook gem back to 1.4.0.

gem 'omniauth-facebook', '1.4.0'

This also automatically reverted the omniauth-oauth2 gem (I've not wrapped my head around the gem thing yet). When I tried the google link again, it did not throw the same Csrf detected message... Hmmm... reverting the FB gem fixed google ---- Need a disclaimer here, other things might have been the problem here, but I think I have it correct.

There is another problem worth mentioning. The log i provided above showed 2 repeated log messages....

(google_oauth2) Callback phase initiated.
(google_oauth2) Callback phase initiated.

This reveals another (maybe related) problem. It means that the callback was executed twice. Once I got past the CSRF issue, i started getting the invalid_credentials problem all by itself. The reason for the error is the duplicate callback call. Apparently, Oauth2 only allows a single use of the credential. The second use is invalid.

I used railscast #235 as my guide: http://railscasts.com/episodes/235-devise-and-omniauth-revised?autoplay=true

It had me add "provider" calls in the omniauth.rb initializer. and config.omniauth calls in the devise.rb initializer. I guess these somehow result in duplicate callbacks?!?!?

Removing the entry from omniauth.rb got me past that one.

So there you have it. My second SO question, and my second question where I'm the only responder. Not sure if its because they were dumb or hard... I hope the latter.

share|improve this answer
 
Well, my friend you can be more at peace, no one has answered because this issue is really hard! I'm having the same issues now as well, with Google, Linkedin, and Twitter :( So, you say I have to remove a line from the omniauth.rb, right? I'm kind of screwed, I don't have that file, what then? –  JoseE Apr 27 '13 at 15:23
 
my omniauth.rb file is in an obscure place... config/initializers/omniauth.rb. If you don't have it, i'd just look around for other possible duplicates? –  Doug May 2 '13 at 0:28
 
Removing omniauth.rb works. I had the same problem following the RailsCast. But when following the guide on the Devise wiki, you only configure OmniAuth in config/initializers/devise.rb with config.omniauth :facebook, "APP_ID", "APP_SECRET", :strategy_class => OmniAuth::Strategies::Facebook. –  zxzxlch Jan 24 at 6:14
add comment
up vote 0 down vote

Just stumbled onto this issue, but your fix didn't work for me. I am using the following gem versions;

oauth2 (0.8.1)
omniauth (1.1.4)
omniauth-oauth2 (1.1.1)
omniauth-facebook (1.4.1)
omniauth-google-oauth2 (0.2.1)

What did fix my problem was adjusting my omniauth.rb initialiser to the following;

OmniAuth.config.full_host = "http://localhost:3000"

Rails.application.config.middleware.use OmniAuth::Builder do
    provider :facebook, KEY, SECRET,
    provider :google_oauth2, KEY, SECRET, :scope => "userinfo.email,userinfo.profile"
end

The key part was to add the 'scope' parameter for google_oauth2, without which I was getting auth failures.

I based my install of this blog: http://sreeharikmarar.blogspot.com.au/2013/01/omniauth-devise-authentication-using.html

A related post: OmniAuth using google oauth 2 strategy scope failure

share|improve this answer
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.