Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error "csrf_detected: Invalid 'state' parameter" happens due to session changing unexpectedly #196

Open
MarcoCouto opened this issue Nov 28, 2024 · 0 comments
Open

Error "csrf_detected: Invalid 'state' parameter" happens due to session changing unexpectedly #196

MarcoCouto opened this issue Nov 28, 2024 · 0 comments

Comments

@MarcoCouto
Copy link

Hi, I'm using this gem to support sign-in with Microsoft365. For compatibility reasons, I have to use version 0.6.1 and with Devise.

Using the discovery option doesn't work.
Here's the configuration:

config.omniauth :openid_connect, {
    name: :microsoft_office365,
    scope: [:openid, :email, :profile],
    issuer: "https://login.microsoftonline.com/common/v2.0", 
    response_type: :id_token,
    response_mode: :form_post,
    uid_field: "preferred_username",
    discovery: true,
    client_options: {
      port: 443,
      scheme: "https",
      host: "login.microsoftonline.com",
      identifier: ENV['MICROSOFT_CLIENT_ID'],
      secret: ENV['MICROSOFT_CLIENT_SECRET'],
      redirect_uri: "#{ENV['APP_DOMAIN']}/omniauth/microsoft_office365/callback"
    },
  }

I get an "Issuer mismatch" error, although the link https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration does retrieve a valid configuration.

So, I tried without discovery: true, and here's the configuration I used:

config.omniauth :openid_connect, {
    name: :microsoft_office365,
    scope: [:openid, :email, :profile],
    issuer: "https://login.microsoftonline.com/common/v2.0",
    response_type: :id_token,
    response_mode: :form_post,
    uid_field: "preferred_username",
    client_options: {
      port: 443,
      scheme: "https",
      host: "login.microsoftonline.com",
      identifier: ENV['MICROSOFT_CLIENT_ID'],
      secret: ENV['MICROSOFT_CLIENT_SECRET'],
      authorization_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
      token_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
      userinfo_endpoint: 'https://graph.microsoft.com/oidc/userinfo',
      jwks_uri: 'https://login.microsoftonline.com/common/discovery/v2.0/keys',
      end_session_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/logout',
      redirect_uri: "#{ENV['APP_DOMAIN']}/omniauth/microsoft_office365/callback"
    },
  }

Now, the error type is :csrf_detected, and the :reason is "Invalid 'state' parameter".
After looking at the gem's code and doing a few tests, I realized that the session changes between requests, i.e., between the authorization request (https://login.microsoftonline.com/common/oauth2/v2.0/authorize) and the callback request (redirect_uri: "#{ENV['APP_DOMAIN']}/omniauth/microsoft_office365/callback"). I printed the session id and it is indeed different. Hence, the stored_state and the nonce values, which are stored between requests in the session, will always be nil.

Why does this happen? Is anyone else facing this issue? What can I be doing wrong?

Thanks in advance!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MarcoCouto