omniauth-oauth2: google_oauth2 Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

For whatever its worth , I had all these issues because I had my clientId and secret in both my omniauth.rb file as well as my devise.rb config file. I mistakenly did this following the omniauth-google-oauth2 gem instructions. Now I only have the line below in devise.rb. config.omniauth :google_oauth2, client, secret

No omniauth.rb file needed.

This problem occurs with rails when the domain defined in /config/initializer/session_store.rb is different from the origin/redirect_uri defined in the google api console.

MyApp::Application.config.session_store :cookie_store, key: '_app_session', domain: 'my_app.com'

Removing the domain params or using the same domain on both sides (plus activating contacts and google+ APIs in console…) fixed the problem for me.

I think we can close this issue! 😸

I have been wrestling with this all day, but none of the above helped.

I finally realized that this is happening to me on staging because staging is at staging.example.com and production is at example.com, so both production and staging cookies are being sent to staging. Staging will work most of the time, but then if I go use production and come back to staging, I get one more valid request and then need to re-authenticate. After returning from authenticating with Google, it threw csrf_detected until I cleared cookies. It would then work fine until some seemingly random time in the future that I now attribute to my having interacted with production.

I’m leaving this note here because Google kept leading me back to this issue, so perhaps it will help someone else.

I was getting this error in a rails app and the way to reproduce it was to initiate two oauth2 logins at the same time. This caused one of the logins to fail with CSRF error, because its random string in the state params get invalidated by the second login request.

Just something to keep in mind if you get this error from time to time and you can’t figure out why.

Help me please to slove the issue of csrf-error Please do tell me urgently… not able to authenticate facebook…

/usr/local/var/rbenv/versions/2.1.1/lib/ruby/gems/2.1.0/gems/omniauth-google-oauth2-0.2.3 scopes changed. same error.

Started GET "/auth/google_oauth2/callback?state=e044e048e1058afa01ec0b77f01f16507dcd23f850a5e18d&code=4/XDJgOYYMDkZmKH4074eZSTFHUSbI.kgC2pBqj6B0ZYKs_1NgQtmW_GcM7jAI" for 127.0.0.1 at 2014-05-21 10:22:19 +0200
(google_oauth2) Callback phase initiated.
(google_oauth2) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

I had this exact same problem and adding domain: 'localhost' in session_store.rb fixed it for me. Thanks everyone!

For me the reason this happened was non of the above so I thought I’d share what solved it for me. Maybe it can save someone else a few hours of headache in the future.

Following this change introduced in Google Chrome behavior, we started adding SameSite=None to all Set-Cookie headers. But, Chrome also ignores Set-Cookie headers that have SameSite=None but are missing the Secure attribute. And, since I was running this on localhost, without HTTPS, the Secure attribute was not added.

So as a result, my session cookie wouldn’t get created on the browser because Chrome would ignore its Set-Cookie header, resulting in a new session created on each request, and a failed state comparison.

So if your app is setting SameSite=None to the session’s Set-Cookie header like this or for all cookies with this gem or this gem, and you’re getting this error when running locally, you should do one of the following:

• In chrome://flags/, disable “Cookies without SameSite must be secure”

Or

• Configure your localhost to run in HTTPS.

Hope this helps.

Update (Nov 25th 2021):

• The Chrome flag mentioned above has been removed 🤷🏻‍♂️

I also had a problem with this and by chance I found out that visitors using naked domain (non-www) got this error.

After some digging I found the source to my problem:

• the callback_url was set to the www subdomain
• the session_store used default domain settings (which resulted in that different cookies were used for www and naked)
• since the user came from naked domain the session was initiated there, but when the callback came back it was to the www subdomain. Since we didn’t have a session we didn’t get a match, thus failing.

There are a few different solutions to this:

• Configure session_store to use the same cookie for both naked and www
• Redirect all traffic to either www or naked (and adjust the callback_url to match it)
• Make the callback_url aware of which subdomain should be used

I went with redirecting the traffic to www, since it was better suited for my given situation. There are multiple ways to redirect the traffic, e.g using Rails routes:

# config/routes.rb
constraints subdomain: false, domain: 'mydomain.com' do
  get ':any', to: redirect(subdomain: 'www', path: '/%{any}'), any: /.*/
end

lol yeah. fixed 😉

Well everything works fine when I use the ugly

provider_ignores_state: true

option. Thus I’m sure my credentials are ok.

For the record I also use other options, but quite sure it has nothing to do with the present problem :

    prompt: 'select_account consent',
    access_type: 'offline',
    scope: 'userinfo.profile,userinfo.email,youtube'

If you got this error with Safari, then try Firefox and Chrome. If only Safari has this issue, then my answer may help, because I spend hours to figure it out.

The problem is, like this URL http://example.org/auth/my-strategy, Safari will send two requests.

The first request to onmiauth, will generate a state, then redirect to my-strategy login, after login successfully, redirect back to my-strategy callback http://example.org/auth/my-stragegy/callbck with s state parameter, at this time Omniauth will compare the state value between session and callback parameter.

The second request is going after the first request, it makes Omniauth generate another state.

See, the callback state param of the first request has not to be the same of state in session, that’s why we got CSRF detected error.

To fix it, I add a timestamp to login URL, http://example.org/auth/my-strategy?t=12345678, Safari won’t request this URL twice when I click it.

currently we’re using the same session["omniauth.state"] to store incoming params[:state]

# set in authorize_params
session["omniauth.state"] = params[:state]

# checked in callback_phase
request.params["state"] != session.delete("omniauth.state")

if we give each state its own namespace, then multiple requests won’t trample over each other?

# set in authorize_params
session["omniauth.state.#{params[:state]}"] = params[:state]

# checked in callback_phase
request.params["state"] != session.delete("omniauth.state.#{request.params["state"]}")

with default :cookie_store, there is still risk of overwriting each other. i ended up monkey patching with Rails.cache instead

# set in authorize_params
Rails.cache.write("omniauth.state.#{params[:state]}", Time.now.to_f, expires_in: 24.hours)

# checked in callback_phase
!Rails.cache.exist?("omniauth.state.#{request.params["state"]}")
...
Rails.cache.delete("omniauth.state.#{request.params["state"]}")

Hey all,

I’d just like to point out that this is still broken under some conditions: namely, if you start making multiple requests from you’re app, and during that time initiate an auth request, there’s a race condition that causes the session cookie that holds the state to be clobbered.

Specifically, -Request 1 for some resource hits you’re server, and begins doing something that requires a lot of computation/lookups. -Auth request is created -Auth request (with state information) is returned, cookie is updated -Request 1 returns, cookie is overwritten by Request 1’s cookie (which didn’t have the session state in it) -User finishes authorizing with 3rd party, callback is initiated, and request.params[‘state’] is empty

Just wanted to add to the thread, as I wound up here after some quick googling as well. I solved this by doing something specific within my app space (message if you’d like to hear what, but its more of a case-by-case thing) - if theres something I’m missing though that would have solved this would love to hear it!

here is my way provider :provider, APP_KEY, APP_SECRET, provider_ignores_state: Rails.env.development?

@gdurelle Thanks for clarifying.

I ran into the same problem with omniauth-github, and provider_ignores_state: true “fixed” it, but as @NickTomlin wrote above, using provider_ignores_state: true feels wrong. But I haven’t had time to look into the problem more. I don’t think there’s a need to reopen.

Ours ended up being a race condition where a second request was clearing all the relevant omniauth fields from the session before we’d gotten through the callback phase

Is this issue related to google issue https://code.google.com/p/gdata-issues/issues/detail?id=6628 wherein occasionally two requests are sent back from google account login?

Strangely, I’m seeing this on iOS safari, but not iOS chrome or mac/pc im using facebook omniauth

FWIW, if anyone else comes here with the same issue - I had the same error happen with Hybrid Auth; adding provider_ignores_state in omniauth setup fixed it.

Then another separate bug appeared with invalid_client; which was way more easier to handle - PEBKAC 😃

i’ve been banging my head against this issue for far too long to not leave a comment here letting others know what worked for me.

for context: i’m using oauth within a mounted rails engine. the issue was that the main rails app the engine was mounted in was using https via force_ssl but the engine was not. this caused the server to randomly bounce between http and https, which both caused the csrf error and trashed the session.

if you’re reading this, i hope it helps you to not lose two and a half days to debugging like i did. godspeed!

Guys, can you point us to some steps to solve this issue. I can’t figure out what to monkey patch according to @choonkeat solution. I hope if you point out some directions.

This is the solution that worked for me. http://stackoverflow.com/a/25112048

Basically remove omniauth.rb and set you configuration in devise.rb. look for around line 238

  # ==> OmniAuth
  # Add a new OmniAuth provider. Check the wiki for more information on setting
  # up on your models and hooks.
  # config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
  config.omniauth :instagram, ENV['INSTAGRAM_APPID'], ENV['INSTAGRAM_SECRET']

@jwg2s Please have a look at my PR - that was the reason why I faced this. Maybe your case is very same. https://github.com/zquestz/omniauth-google-oauth2/pull/190/files

Is there a safe version that doesn’t suffer from this issue? I am experiencing the same thing and have tried provider_ignores_state, domain in session store, and skipping devise authentication for the omniauth controller. I’m at a loss.

@austinwang +1 I removed the wrong initializer and it works now !

After some tests, its appear that session[‘omniauth.state’] is nil during the callback phase! Why session doesn’t keep it?