Hello i've run into a bit of a problem with the omniauth-twitter gem, i have followed the documentation to a t and when i go to localhost:3000/auth/twitter i get a no matching route error. I've googled this issue for hours to no avail, I've searched stack overflow to no avail, the only lead i managed to get was on issue on github which was answered with a link to a page which no longer exists all other "solutions" involved misconfiguring devise, which im not even using.
I literally only have the bare minimum code from the documentation that should at least redirect me to the twitter login.
Might this have something to do with the 3-legged oauth being enabled in my twitter app in the developer portal?
Has anyone else run into this issue?
I finally found the solution:
The issue originates with the new CSRF protections due to Omniauth vulnerabilities, to use omniauth with rails for twitter you must use the
omniauth-rails_csrf_protection gem by Cookpad
Related
I am using gem omniauth and when I push my code to Github, it shows me a security warning because of the gem.
CVE-2015-9284
high severity
Vulnerable versions: <= 1.9.0
Patched version: No fix
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
However, it seems that I am using the latest version
Is there any possible fix, or should I skip this for now?
This was reported in omniauth/omniauth issue 960 and discussed in PR 809 "Protect request phase against CSRF when Rails is used. "
It includes:
So we have implemented the omniauth-rails_csrf_protection solution, but previously we had our 3rd party OAuth provider log people in after they had verified the registration and redirect them to our /auth/provider endpoint.
This would now require them POSTing to the endpoint with a CSRF token, which is not possible as they are on a separate platform/system.
Should the omniauth readme be updated to mention that anyone using omniauth with rails should also use omniauth-rails_csrf_protection?
See commit 0264706 as an example of using that setting.
gem "omniauth-rails_csrf_protection"
Or... coreinfrastructure/best-practices-badge PR 1298
I hate to bring in a third-party shim to fix a security issue, but upstream omniauth has still not fixed its vulnerability, and it's a CVE report from 4 years ago (2015).
The omniauth folks are still discussing how to fix it, and my patience has been exhausted.
I reviewed the shim code, and I don't see any issues. This is a vulnerability that allows account takeover, so I think ignoring it is extremely unwise. It's not trivial to exploit, but it's real.
I'm trying to use Wordpress to authenticate my Rails application users with the following Omniauth plugin:
https://github.com/jwickard/omniauth-wordpress-oauth2-plugin
I've followed the instructions carefully, and duplicated his example, but it doesn't work. Which is really surprising, because there's just not that much to it. However, I've found several threads on here like this one, that talk about the same problem I have:
Devise, OmniAuth & Facebook: "Not found. Authentication passthru."
When I click the "Sign in with Wordpress" (which is automatically inserted in my Devise sign-in page), I simply get a 404, with "Not found. Authentication passthru," which is a stub response for the passthru method in the Devise sources. Routes rake just fine, and look like all the examples. I've restarted the server dozens of times.
Despite several attempts to set site: and authorization_url: in the client_options, in both my devise config, and the plugin sources directly, my app never redirects to my Wordpress site. I've got about 10 hours into screwing around with this, and I don't know what's supposed to be responsible for actually sending me to the site to DO the authentication. Further complicating figuring this out is that almost every reference I can find to redirection in this sort of scenario is about the callback to my Rails site, after the authentication is done. I can never get that far.
There's a lot of confusing references to this problem on SO and the internet at large. There's some talk about making a "real" passthru or action_missing method in my OmniauthCallbacksController, but that seems to be outdated information. There's a lot of talk about making sure that I've defined the omniauth_providers in my User model, and I've tried it with and without, but that's not in any of the documentation about this plugin.
I've been trying to look at the plugin's strategy file, and it just doesn't seem that different than other Oauth2 plugins for Facebook, Google, or whatever, that I've been reviewing. It seems like there's a very simple thing I need to set in order to make this all work, but I can't find it, and I've run out of ideas on how to track it down. The plugin was last updated about 5 years ago. Does anyone still use this with modern versions of Devise, Omniauth, and Wordpress? If so, is there a clue you can give me to make it work?
I finally started tracing through the gem, and found where it was failing. As I searched on those further problems, I finally figured out that there were about 25 forks of this gem, and many of them addressed the problem. I used this particular one: https://github.com/bkno/omniauth-wordpress-oauth2-plugin
I've set up a basic rails application to use twitter oauth gem and devise and have been able to log in a user. However, my problem is I've now got my app white-listed and I would like to get a user's email back in the response. I've followed all necessary steps on the twitter side (setting necessary permissions, URLS, and reset keys) and have tried passing both
include_email=true
and
include_email=email
as a params when I initiate the oauth sequence. I feel like I've read and re-read the docs and tried few edge cases I thought might work based off of very little I've found on-line.
Any help with this? Something I'm missing if you've done this before?
I solved my problem. The omniauth gem was not the latest version which would include email. In my gem file I needed to declare '~> 1.2.1' where I had version 1.2.0 - - the new version includes the following changes you can read about here: https://github.com/arunagw/omniauth-twitter/pull/96
I've been trying to implement basic facebook login into a rails app that already users devise via their tutorial on integrating omniauth-facebook: https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
However, as far as I can tell after following along with the full setup, I'm stuck with the error in the js console:
XMLHttpRequest cannot load https://www.facebook.com/dialog/oauth?client_id=...
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:3000' is therefore not allowed access.
I've been stuck all day trying to resolve this, via what is my understanding to be a CORS issue.
However, I've had no success with rack-cors (https://github.com/cyu/rack-cors) and attempting to manually set the headers in the application controller hasn't yielded any results.
I'm unsure where to proceed from here, and somewhat baffled that I haven't come across a solution yet for what must be a pretty standard implementation.
Any help or ideas would be greatly appreciated!
Thanks :)
Try restarting your server. :P
If that doesn't work, install the rack-cors gem and follow the relevant config/application.rb modifications then restart your server.
https://github.com/cyu/rack-cors
I've been attempting to get Ruby on Rails 4.1 to talk to our salesforce instance using the gem omniauth and gem restforce as per this instruction link here.
All seems to be going alright, I got things up and running, with a hyperlink that takes me to a salesforce login and seems to return to the callback correctly. However when it does i get the error:
OAuth2::Error
Missing_OAuth_Token
This leaves me really confused and mystified, my oauth token should surely be supplied by the callback?
I have my client_id and client_secret stored in the app and they appear to load in correctly. Adding my salesforce login and password through omniauth should provide all it needs right? I don't see anywhere else in the omniauth gem docs or restforce gem to stick an oauth token... and even then i'm not sure where i'd get it from.
I'd read that there had recently been some authentication failures with the gem omniauth and there is a current issue request to put out a new version. If I specify my gem to pull directly from the github. I get a similar bit distinct error that I have posted about here.
Could anyone give any advice on:
Where I should expect the missing Auth_Token to come from (I really can't work out if I'm supposed to be providing it in my app or if that's what comes back from salesforce
How would be best to go about debugging this? (i'd thought about using debugger but as it pings to code outside of my rails app i'm unsure how much help this would be.
What the correct way would be to go about setting this up properly!
Any help would be greatly appreciated!
This was actually a bug in the omniauth-salesforce gem - https://github.com/realdoug/omniauth-salesforce/pull/13.
There was a minor change to the way the Salesforce API worked which was resolved in the above pull request. You must have upgraded your gem which solved the problem.