omniauth-oauth2: omniauth: (google_login) Authentication failure! csrf_detected (only Safari)

We started getting reports from users that they cannot login with Google (it also happens with login with Facebook). On Firefox or Chrome it works fine, but does not work in Safari. It simply goes back to the login page.

I can see this error in our puma log:

E, [2022-06-22T11:54:57.979909 #40] ERROR -- omniauth: (google_login) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

Any suggestions on how to investigate/resolve this?

About this issue

Original URL
State: open
Created 2 years ago
Comments: 16 (6 by maintainers)

Commits related to this issue

Set cookie same site protection to nil This is an attempt to fix an issue we're seeing where signing in with Omniauth isn't working in Safari. Setting this value to `nil` (which means the `SameSite` ... — committed to DFE-Digital/apply-for-qualified-teacher-status by thomasleese a year ago

Most upvoted comments

You could switch back to set_defaults 7.0 and in an initializer set Rails.application.config.action_dispatch.cookies_same_site_protection = :strict which may help, but I suppose could break things depending on how your site is set up and what needs access to cookies.

BobbyMcWho on Jun 22, 2022

Here’s where that’s defined in Rails. I suspect one these two blocks of settings [1, 2], I suspect it’s the lax setting.

BobbyMcWho on Jun 22, 2022