Search code examples
ruby-on-railsomniauth

Rails - Linkedin Auth: Not found. Authentication passthru

Hi have an application with Linkedin Authentication that used to work fine. Today I got complains from user saying they see: Not found. Authentication passthru. when clicking on login with Linkedin. it takes them to the page: http://XXXXX/users/auth/linkedin?locale=en

When i check in the logs I get :

Started GET "/users/auth/linkedin?locale=en" for ::1 at 2021-07-12 18:04:13 +0800
Processing by OmniauthCallbacksController#passthru as HTML
  Parameters: {"locale"=>"en"}
  Rendering text template
  Rendered text template (0.0ms)
Completed 404 Not Found in 3ms (Views: 0.9ms | ActiveRecord: 0.3ms)

My controller looks like:

class OmniauthCallbacksController < Devise::OmniauthCallbacksController
  def linkedin

    @user = User.connect_to_linkedin(request.env["omniauth.auth"],current_user)
    if @user.persisted?
      flash[:notice] = I18n.t "devise.omniauth_callbacks.success"
      sign_in_and_redirect @user, :event => :authentication
    else
      session["devise.linkedin_uid"] = request.env["omniauth.auth"].except("extra")
      redirect_to new_user_registration_url
      flash[:notice] = I18n.t "devise.omniauth_callbacks.failure"

    end
  end

I have the following in my model:

devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, :confirmable, :omniauthable, :omniauth_providers => [:linkedin

             user_linkedin_omniauth_authorize GET|POST /users/auth/linkedin(.:format)                                                omniauth_callbacks#passthru
              user_linkedin_omniauth_callback GET|POST /users/auth/linkedin/callback(.:format)                                       omniauth_callbacks#linkedin

When I add the POST method to the link_to, i get the following:

Started POST "/users/auth/linkedin?locale=en" for ::1 at 2021-07-12 21:56:18 +0800
D, [2021-07-12T21:56:18.416654 #65475] DEBUG -- omniauth: (linkedin) Request phase initiated.
W, [2021-07-12T21:56:18.417955 #65475]  WARN -- omniauth: Attack prevented by OmniAuth::AuthenticityTokenProtection
E, [2021-07-12T21:56:18.418089 #65475] ERROR -- omniauth: (linkedin) Authentication failure! authenticity_error: OmniAuth::AuthenticityError, Forbidden
Processing by OmniauthCallbacksController#failure as HTML

And other stuff

Do you see what could be teh reason behind this sudden problem please? I did a Bundle Update few days ago and a lot of errors started showing up.

None of what i saw so far could help.

Solution

  • I found this was because of CSRF protection enabled by default in OmniAuth 2 and above, and GET requests no longer supported like the one you are trying.

    I was able to fix it with two things:

    1. Add omniauth-rails_csrf_protection gem: https://github.com/cookpad/omniauth-rails_csrf_protection

    2. Update your config/initializers/omniauth.rb to include:

    OmniAuth.config.allowed_request_methods = [:get, :post]