我得到这个
OmniAuth::Strategies::OAuth2::CallbackError at /auth/google/callback
csrf_detected | CSRF detected
我的代码:
require 'sinatra'
require "sinatra/json"
require "sinatra/config_file"
require 'omniauth-oauth2'
require 'omniauth-google-oauth2'
use Rack::Logger
config_file "config/app_config.yml"
use Rack::Session::Cookie,secret: '5fb7w345y3489f523y4h'
configure do
enable :sessions
end
use OmniAuth::Builder do
provider :google_oauth2,settings.google[:client_id],settings.google[:secret],{
:scope => "userinfo.profile",:access_type => "offline",:prompt => "select_account consent",:name => "google"
}
end
get '/list' do
json get_list
end
get '/' do
%Q|<a href='/auth/google'>Sign in with Google</a>|
end
get '/auth/:name/callback' do
@auth = request.env['omniauth.auth']
@auth.inspect
end
我的回调是返回代码和状态.
解决方法
有同样的问题
(google_oauth2) Callback phase initiated.
(google_oauth2)
Authentication failure! csrf_detected:
OmniAuth::Strategies::OAuth2::CallbackError,csrf_detected | CSRF
detected
最后一个Omniauth-oauth2更新引入了“state”param有一个必填字段.
有些人建议使用provider_ignores_state:true,但这是一个坏主意,因为它引入了csrf缺陷
猜测我们必须降级到以前的版本,以保持google_oauth2的工作.