I have a Rails 4 app on Heroku and I just pointed my custom domain to the app. I am able to access the app through the custom domain but when I try to sign in I get an error: "The change you wanted was rejected. Maybe you tried to change something you didn't have access to." on the Heroku page and the Heroku logs give this error: Can't verify CSRF token authenticity. I am still able to sign in through the appname.herokuapp.com url. I haven't yet purchased a SSL certificate for the new url. Could this be causing the error?
Related
I was trying out the curity configuration for an authentication service and a token service for OAuth and OpenID Connect locally. After all the configuration, when I was trying to test it with OAuth Assistant, I get an error:
Bad request
The request could not be processed
In the terminal, I can see these two INFO logs for particular
se.curity.identityserver.util.AllowedFrameOriginUtils - Requested origin is not allowed: 'http://localhost:...'
se.curity.identityserver.controllers.authorize.AuthorizeOAuthRequestModelProvider - Could not establish the redirect uri for request and client www. If this error occurs *after* being redirected to the authentication service and back, then this error has probably occurred because the original session cookie has been lost. Ensure that the cookie named 'sessionid' was sent to the authentication service. If not, check that the user's browser is not withholding it (for example by the cookie jar becoming full) and that a reverse proxy is not interfering with it.
There is no issue with sessionid. Anyone know how to fix this issue?
I'm currently testing my Ruby on Rails project Omniauth with Facebook functionality and no how I enter my Redirect URI it fails.
The exact error is:
URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs.
If I do,
https://localhost:3000/users/auth/facebook/callback
it then complains about trying to an ssl certificate to a non ssl puma. Are there any suggestions for this issue? Perhaps, working on my SSL certificates or any other solution.
I've been looking into similar posts and nothing has solved this issue. Please advise.
I uploaded my Rails application to Heroku, bought a domain name mysite.com on Site5 and pointed it to my Heroku application URL. I can normally access my site on Heroku when I type www.mysite.com and everything works.
The problem is that before my site opens, I receive a warning that the certificate for this website is invalid and that some other site is pretending to be my site. This looks bad if a customer comes to my site and sees that warning and needs to accept their information "will be at risk". How can I avoid this message?
Here is the screenshot how it looks in Safari:
Heroku provides a wildcard SSL certificate covering all herokuapp.com subdomains. This will only be valid, of course, when accessing your app via its herokuapp.com subdomain.
If you need SSL for your custom domain, you need to acquire your own certificate for that domain and pay Heroku ($20/mo) to use that certificate for your application.
If you don't need SSL, verify your code isn't redirecting HTTP to HTTPS requests. This isn't something Heroku normally does by itself; any forced-secure transit is most likely coming from your application.
See Heroku KB: SSL Endpoint
I am using omniauth and logging into google and yahoo using the open_id strategy. This was working fine, until I enabled SSL on my site. There was a couple issues. First the URL's being generated were still pointing at http instead of https. I fixed that using a monkey patch from other posts(Omniauth and open_id with Google broken when running behind nginx in SSL mode, OpenID for rails app behind Apache)
Now it seems like the URLs are okay, but now I always get invalid credentials failure. I am using nginx and unicorn and hosting on EC2, if any of that is relevant. I see this in my unicorn logs:
(google) Request phase initiated.
WARNING: making https request to https://www.google.com/accounts/o8/id without verifying server certificate; no CA path was specified.
Generated checkid_setup request to https://www.google.com/accounts/o8/ud with assocication ...
(google) Callback phase initiated.
(google) Authentication failure! invalid_credentials encountered.
*Note I remove the association above because I was not sure if thats some private key or something.
Also, I see google posting to my callback "/auth/google/callback".
Finally, about the warning about making a request without verifying server certificate, I saw in another post that I should add this:
require "openid/fetchers"
OpenID.fetcher.ca_file = "/etc/ssl/certs/ca-certificates.crt"
which I did, and the messages go away but does not fix my problem. Am I supposed to point this to my ssl certificates instead?
Just confused about what is going on and not finding good logging output to identify the problem...
I am working on an application that allows user to authenticate with Devise and Omniauth and then connect his social network account to the app. I wanted to add Wordpress integration (their website states they support OAuth 2.0 authentication and REST API access).
Unfortunately, there was no Omniauth strategy for this provider. I looked into some other gems and decide to write my own - it didn't seem so complicated. The source code can be found here.
I have added all required informations (according to Wordpress docs), then I have signed up for an app ID and secret. I have encountered my first problem here - Wordpress demanded a live, public domain as a redirect URI. I didn't want to use one - I wanted to test in development mode first, so localhost was fine for me. I have entered a dummy address, then changed it back to localhost (surprise! They didn't validate it on update, just on create).
I have added the credentials to my initializer (config/initializers/devise.rb):
config.omniauth :wordpress, "my_app_id", "my_app_secret"
It seemed to work - I got the authentication dialog I expected, it mentioned my application. But when I clicked 'Authorize' and got redirected to my application back, I got an error saying invalid credentials.
I have checked the credentials, but they were correct (no typos, proper order). I have reset the app secret - no luck. I have created two another applications, but still nothing.
I have already ran out of ideas. What can cause such error? Is it possible that it's because of the local address in redirect_uri?
I suspected it was something easy to miss, and it was. Wordpress' server responded with JSON string, but the response was not parsed as one. Therefore Omniauth gem couldn't find an access token in it and was raising the invalid credentials error. Setting up correct content type worked like a charm.