Error: Not found. Authentication passthru. with any Omniauth strategy #5236
Comments
|
Did you get any further with this? I'm getting the same problem. |
|
No, I didn't. I changed the flow to make it work differently, taking the authorization code from the client, then sending it to my Rails app. |
|
@lionelrudaz and @apchester please make sure you use |
|
@arcooverbeek Thanks! instantly fixes the issue for me, though this doesn't appear to be the default? |
|
@arcooverbeek the thing is that I was in API mode for my Rails app, and my calls were done from a different frontend application. In this case, I don't think it makes sense to post to the URL, don't you think? |
|
@arcooverbeek using |
|
Hey all, please note that using POST as the method is the new default in OmniAuth 2+, and that is to increase security and is definitely recommended. Devise is upgrading to that default soon: #5327, and so should you if possible. Check their release notes for more info: https://github.com/omniauth/omniauth/releases/tag/v2.0.0. If you're getting to that error it means OmniAuth is not catching the route and doing its thing, and instead you're landing directly in Rails/Devise. @lionelrudaz are you still encountering the problem you originally reported? |
|
@carlosantoniodasilva thank you for coming back on this! So, another question, why OmniAuth is not catching the route? devise_for :users, controllers: { omniauth_callbacks: 'omniauth_callbacks' }Edit 1: I've recently upgraded to Rails 6.1.1 and Ruby 3.0.0. Could it be the reason? gem 'devise', github: 'heartcombo/devise', branch: 'ca-omniauth-2'Edit 3:
Temporarily solution which worked for me is to downgrade to |
|
Have you verified that the request is actually being sent as POST with the link using With OmniAuth 2.0+, If that's not the case, it'd be nice if you could provide a sample app that shows the issue. I haven't been able to re-test everything myself yet with that branch. Thanks. |
|
@Pandenok I think you need to set the See: https://github.com/omniauth/omniauth/wiki/Upgrading-to-2.0#rails |
|
@jkowens YEAAAAH!
|
|
@carlosantoniodasilva you're doing amazing job! |
|
@carlosantoniodasilva I have been going through your suggestions on different forums to fix OmniAuth and have landed on an AuthenticityTokenProtection error just like @Pandenok. I'm using these two gems: And calling the user_facebook_omniauth_authorize_path with I tried installing Any thoughts on how to fix this would be super appreciated. |
|
@juliaf1 did you see the Omniauth 2.0 upgrade wiki? https://github.com/omniauth/omniauth/wiki/Upgrading-to-2.0#rails You can either add |
|
@juliaf1 right, from my understanding the only thing you should need (aside from using that branch and OmniAuth 2) is what @jkowens mentioned above: add the That combined with initiating the OAuth flow using a POST request (using I'll probably include some documentation around this on the Devise side (changelog/readme/wiki), I'm sure more people will hit issues upgrading and will come looking here first. |
|
@juliaf1 Julia,
If you installed the gem, you don't need to add anything, it's the gem itself that will add request validation on any post request, so make sure as @carlosantoniodasilva stated to use a Hope this will help! Edit: typos and formatting edited |
Omniauth 2 requires post. heartcombo/devise#5236 ``` Install the gem OmniAuth - Rails CSRF Protection Add the link user_facebook_omniauth_authorize_path method: :post ``` TODO: Convert the rest of the links to `user_github_omniauth_authorize_path` to be post
Omniauth 2 requires post. heartcombo/devise#5236 ``` Install the gem OmniAuth - Rails CSRF Protection Add the link user_facebook_omniauth_authorize_path method: :post ``` TODO: Convert the rest of the links to `user_github_omniauth_authorize_path` to be post
Updates omniauth because GitHub is deprecating query params which is used by the old omniauth. To do this I updated to Omniauth 2+ which also required an update of devise. There's a change to the omniauth API which is talked about here: heartcombo/devise#5236 Basically: - Omniauth2 requires post (instead of GET) - Omniauth 2 also needs this `omniauth-rails_csrf_protection` gem. I added the gem and updated all `link_to` and `button_to` to include a `method: :post`. There is one controller redirect which apparently still seems to work, but it might be broken. I'm not sure how we could possibly preserve the existing behavior since you cannot redirect to a post. This gets tests to pass though. So it's good enough for the short term. ## Deprecation Email from GitHub ``` [GitHub API] Deprecation notice for authentication via URL query parameters GitHub Mar 6, 2021, 4:37 AM (5 days ago) to Richard Hi @schneems, On March 6th, 2021 at 10:37 (UTC) your application (CodeTriage) used an access token (with the User-Agent Faraday v0.17.3) as part of a query parameter to access an endpoint through the GitHub API: https://api.github.com/user Please use the Authorization HTTP header instead as using the `access_token` query parameter is deprecated. Depending on your API usage, we'll be sending you this email reminder on a monthly basis. Visit https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param for more information about suggested workarounds and removal dates. Thanks, The GitHub Team ``` Need to use devise from GitHub due to this not being released yet heartcombo/devise#5327 # This is the commit message #2: WIP Move omniauth links to post Omniauth 2 requires post. heartcombo/devise#5236 ``` Install the gem OmniAuth - Rails CSRF Protection Add the link user_facebook_omniauth_authorize_path method: :post ``` TODO: Convert the rest of the links to `user_github_omniauth_authorize_path` to be post
|
If anyone lands here and has just wasted an entire day trying to resolve this issue, re-reading this thread 20 times and screaming "WHY" into their clenched fist, you explicitly need to include |
|
Hi, what worked for me:
peace |
** Why are these changes being introduced: * Something changed in a recent dependency upgrade, breaking local auth for development environments. The GitHub issue queue for Devise lists a set of steps that seems to work in local environments. ** Relevant ticket(s): * n/a for now - although this might become its own ticket ** How does this address that need: * This implements the recommended fix at heartcombo/devise#5236 (comment) Please note that the gem is installed development only, as the tests and production environments are unaffected as they don't use this auth method. ** Document any side effects to this change: * I'm not sure - there's probably a better way to handle this.
** Why are these changes being introduced: * Something changed in a recent dependency upgrade, breaking local auth for development environments. The GitHub issue queue for Devise lists a set of steps that seems to work in local environments. ** Relevant ticket(s): * n/a for now - although this might become its own ticket ** How does this address that need: * This implements the recommended fix at heartcombo/devise#5236 (comment) ** Document any side effects to this change: * I'm not sure - there's probably a better way to handle this.
|
Gems upgraded, method: :post, disable turbo. Same issue. Sigh... |
It helps to switch to This works for me too: <%= button_to "Sign in with Microsoft", user_microsoft_graph_omniauth_authorize_path,
method: :post, "data-turbo": false %> |
|
This works for me with turbo No other changes |
|
Anyone have advice for working around this problem for the case of "open link in new tab"? My login links work as expected when they are clicked normally, but "method: :post" doesn't prevent this error when a user tries to open the login in a new tab. |
|
This is happening to me on Rails 7 using https://github.com/andyw8/omniauth-pocket-oauth2 and none of these solutions seem to work :/. |
|
Only replacing |
|
@zal-lex are you using turbo? If so, there's a reason that it works with button_to and not link_to, see rails/rails#43430 and rails/rails#43941 |
Followed the guides provided on omniauth-google-oauth2 repo (https://github.com/zquestz/omniauth-google-oauth2\#devise) and devise wiki (https://github.com/heartcombo/devise/wiki/OmniAuth:-Overview). Note that `data: { turbo: "false" }` is required to make this work, as was noted in a few different Github and Stack Overflow threads (e.g., https://github.com/heartcombo/devise/issues/5236\#issuecomment-1004028752).
|
In case it helps someone else, for me the problem was with url comparaison So a quick fix is to override this method in you omniauth stategy module OmniAuth
module Strategies
class MyStrategy < OmniAuth::Strategies::OAuth2
def on_path?(path)
current_path.squeeze("/").casecmp(path.squeeze("/")).zero?
end
#...
end
end
end |
|
Rails 7 doesn't have UJS by default, so the previous |
|
Thanks @jkowens. Adding Also = form_tag(admin_user_google_oauth2_omniauth_authorize_path) do
button(type='submit' class='btn btn-primary', style='width: 100%')
i.fa.fa-google
| Sign in with Google |
|
if you place button / link inside form it may cause the Not found. Authentication passthru as well. if you face this issue try removing your button / link outside the form. |
… then the link will use a GET method. Per heartcombo/devise#5236 (comment), change to a button_to to ensure that it's a POST method in all cases.
… then the link will use a GET method. Per heartcombo/devise#5236 (comment), change to a button_to to ensure that it's a POST method in all cases.
|
While using 2 things definitely resolved this for me:
|
and others
Hi everybody, I'm posting here, because none of the answers in StackOverflow seem to work. So either I've got a bug with the library, or this issue can lead to an improvement of the documentation.
Environment
Current behavior
I've published my repo here: https://github.com/lionelrudaz/dunphy-api/tree/omniauth-facebook
I've followed the guide to enable Facebook login with Omniauth. I've done it three times. I've checked all the possible similar questions on Stackoverflow, including:
When I'm entering http://localhost:3000/users/auth/facebook/, I always get the same error.
Looks like I'm not the only one that had struggle with the error. What's strange is that most of the time, the issue either was fixed by redoing everything from scratch, restarting the server (which I did many times), upgrading rails (which I did as well from 6.0.2 to 6.0.3) or by waiting for the app to be enabled...
I've got no logs to provide, except this error.
Will be even more helpful if you provide a sample application or a test case that reproduces the error.
Expected behavior
I should be redirected to Facebook login.
Let me know if you need more information.
The text was updated successfully, but these errors were encountered: