omniauth: (google_login) Authentication failure! csrf_detected (only Safari) #155
Comments
|
It seems like the problem started after we upgraded Rails from 6 to 7 (and also switched our asset compilation from sprockets to propshaft, but not sure if/how this is related). It's very odd however that it works with other browsers but only fails with Safari. |
|
Something with Intelligent Tracking Prevention? https://webkit.org/tracking-prevention/ |
|
Make sure safari isn't set to block all cookies, and if you're on Rails 7, see if you need to make this change: omniauth/omniauth#1061 (comment) |
|
Thank you @dentarg and nice to bump into you again here. I also had a similar hunch, but not sure how this is affected by the version of Rails though? and I think Firefox also has its own tracking prevention by default? I don't see anything obvious being blocked by the browser though, but on the backend it indicates that there's a CSRF error. By the way, someone also wrote about Safari specifically back in 2017, although I couldn't work out what changes to make). @BobbyMcWho that's very interesting. However, we're already using |
|
Does this only occur with google oauth, or other omniauth strategies as well? I don't have a Rails 7 app to test this with unfortunately, can you submit a minimal app that reproduces this behavior? I've got some single filers here that you could start off with |
|
It also happens with Facebook. But as I mentioned, only with Safari. I can try to create a reproducible app, but it might be tricky to include all the different moving parts that might affect this. |
|
I found a workaround. I'm still not sure what it does or how, but it seems to solve the problem. I changed our |
|
Interesting. The HN link is from early 2020 and still seems to be a problem. I tested on Big Sur with Safari Version 14.1.2 (16611.3.10.1.6). Is there a better workaround then to only switch this back and still use the 7.0 defaults? |
|
You could switch back to set_defaults 7.0 and in an initializer set |
|
It seems like with 6.0 defaults it is set to |
|
I tested with |
|
Different browsers handle nil differently I believe. As far as I can tell, this isn't really an Omniauth issue, but more an application configuration issue, you may want to try :none instead of strict. Out of curiosity, are you using cookie store for your sessions? |
|
Thank you @BobbyMcWho. We store sessions in redis, although we are considering swiching to cookies. |
|
To be clear, I'm not sure if cookie store would resolve it for you or not, I'm happy to help if I can, but unfortunately I don't have first hand experience with this specific issue in a production app, so I'm unsure how to guide your resolution |
|
Thanks again @BobbyMcWho. I'm also not sure what difference using cookies vs sessions make. We're using clearance for authentication, so perhaps the way they set up their cookies is different from how cookie store does it? any tips on what to look for and how to investigate this weird issue would be appreciated. It seems to stretch my knowledge quite a bit, especially since it fails on Safari, and only very broadly familiar with the mechanics of oauth2 either. |
This is an attempt to fix an issue we're seeing where signing in with Omniauth isn't working in Safari. Setting this value to `nil` (which means the `SameSite` attribute is left unset) should in theory be the same as setting to to `lax` (which means the `SameSet` attribute is set to `Lax`), however it seems like Safari treats these differently: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#lax omniauth/omniauth-oauth2#155 (comment)
We started getting reports from users that they cannot login with Google (it also happens with login with Facebook). On Firefox or Chrome it works fine, but does not work in Safari. It simply goes back to the login page.
I can see this error in our puma log:
Any suggestions on how to investigate/resolve this?
The text was updated successfully, but these errors were encountered: