OmniAuth - current session not loaded on OpenID callback_问答_开发者

OmniAuth - current session not loaded on OpenID callback

开发者 https://www.devze.com 2023-02-12 05:18 出处：网络

I\'m using OmniAuth with Rails 3.1.4 and I\'m trying to allow already authenticated users to associate multiple OpenID providers with their account.

I'm using OmniAuth with Rails 3.1.4 and I'm trying to allow already authenticated users to associate multiple OpenID providers with their account.

As an unauthentica开发者_Go百科ted user, signing in with OpenID works fine. As an authenticated user, when I try to sign in with a different oid provider, when the callback method is executed, it just looks like I wasn't previously authenticated.

To me it just looks like the controller gets executed before sessions are initialised (or sessions are completely skipped).

What could it be?

Confirming Andrei Serdeliuc's solution, disabling protect_from_forgery worked for me (Ruby 1.8.7, Rails 2.3.11, OmniAuth 0.1.6)

in your CallbackController (AuthenticationsController in the famous screencast) adding skip_before_filter :verify_authenticity_token or protect_from_forgery :except => :create at the top of the controller work !

As it could be a way for CSRF (Cross-Site Request Forgery) you should verify the identity of the openid server, don't forget to setup the certificate verification (in the initializer):

# First of all get a ca-bundle.crt file (eg : from your open-source browser package)
require "openid/fetchers"
OpenID.fetcher.ca_file = "#{Rails.root}/config/ca-bundle.crt""

it will prevent warnings like :

WARNING: making https request to https://www.google.com/accounts/o8/id 
without verifying server certificate; no CA path was specified.

Now my sessions are not reseted anymore, and can add several openid authentication to my curren_user.

cheers

Keep in mind that OmniAuth has no concept of "signing in." It simply verifies that the user was authenticated at the third-party app and gives you the information you need to implement your own sign-in system (or integrate with an existing one). (There are excellent screencasts on this topic; see part 1 and part 2 on Railscasts, for example.)

That being said, the following assumes you haven't fallen into that common trap and really are having problems accessing session data in your callback. Some basic testing on my part shows that sessions work as expected in the OmniAuth callback. See the following code at https://github.com/BinaryMuse/so_5049994/compare/master...experiment:

class AuthController < ApplicationController
  def callback
    session[:count] ||= 0
    session[:count] += 1

    @count = session[:count]
    @env   = env['omniauth.auth']
  end
end

After authenticating via various services I have applications for (Facebook and Twitter among them), I receive output similar to the following (see the view file):

OmniAuth Callback

Number of times viewed (session): 5

OmniAuth Hash:

  {"provider"=>"facebook", "uid"=>"1017... (rest of omniauth hash here)

As for me I have to implement an app with Intuit, and ran in to the same problem. What fixed it for me isn't the removal of protect forgery or skipping the authenticity_token check but making sure the page where I submit the authorization form locally has the same host as the redirect URL. I had 127.0.0.1:3000 but the redirect_url was localhost:3000.