Lightspeed OAuth CSRF 和 redirect_uri 错误(红宝石)
Posted
技术标签:
【中文标题】Lightspeed OAuth CSRF 和 redirect_uri 错误(红宝石)【英文标题】:Lightspeed OAuth CSRF and redirect_uri errors (ruby) 【发布时间】:2016-03-07 09:56:47 【问题描述】:所以首先我们遇到了一个没有多大意义的 CSRF 错误。在omniauth的回调阶段失败了。
Started GET "/auth/lightspeed" for 127.0.0.1 at 2015-12-02 14:48:32 +1100
I, [2015-12-02T14:48:32.949808 #32768] INFO -- omniauth: (lightspeed) Request phase initiated.
Started GET "/auth/lightspeed/callback?code=b8cb8bcc6f741f2f919e3924e0dc3c648f67d129&state=457c2b3ab0917bdc88180edf1fdc8be63c1011b0a9939a7e" for 127.0.0.1 at 2015-12-02 14:48:44 +1100
I, [2015-12-02T14:48:44.254381 #32768] INFO -- omniauth: (lightspeed) Callback phase initiated.
E, [2015-12-02T14:48:44.254727 #32768] ERROR -- omniauth: (lightspeed) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
E, [2015-12-02T14:48:44.255305 #32768] ERROR -- omniauth: (lightspeed) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
[Rollbar] Reporting exception: csrf_detected | CSRF detected
[Rollbar] Exception not reported because Rollbar is disabled
OmniAuth::Strategies::OAuth2::CallbackError - csrf_detected | CSRF detected:
omniauth (1.2.2) lib/omniauth/failure_endpoint.rb:25:in `raise_out!'
omniauth (1.2.2) lib/omniauth/failure_endpoint.rb:20:in `call'
omniauth (1.2.2) lib/omniauth/failure_endpoint.rb:12:in `call'
omniauth (1.2.2) lib/omniauth/strategy.rb:475:in `fail!'
omniauth-oauth2 (1.3.1) lib/omniauth/strategies/oauth2.rb:75:in `callback_phase'
omniauth (1.2.2) lib/omniauth/strategy.rb:227:in `callback_call'
omniauth (1.2.2) lib/omniauth/strategy.rb:184:in `call!'
omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
omniauth (1.2.2) lib/omniauth/builder.rb:59:in `call'
rack (1.6.4) lib/rack/etag.rb:24:in `call'
rack (1.6.4) lib/rack/conditionalget.rb:25:in `call'
rack (1.6.4) lib/rack/head.rb:13:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/flash.rb:260:in `call'
rack (1.6.4) lib/rack/session/abstract/id.rb:225:in `context'
rack (1.6.4) lib/rack/session/abstract/id.rb:220:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/cookies.rb:560:in `call'
activerecord (4.2.3) lib/active_record/query_cache.rb:36:in `call'
activerecord (4.2.3) lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in `call'
activerecord (4.2.3) lib/active_record/migration.rb:377:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
activesupport (4.2.3) lib/active_support/callbacks.rb:84:in `run_callbacks'
actionpack (4.2.3) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/reloader.rb:73:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/remote_ip.rb:78:in `call'
rollbar (1.5.3) lib/rollbar/middleware/rails/rollbar.rb:24:in `block in call'
rollbar (1.5.3) lib/rollbar.rb:799:in `scoped'
rollbar (1.5.3) lib/rollbar/middleware/rails/rollbar.rb:22:in `call'
better_errors (2.1.1) lib/better_errors/middleware.rb:84:in `protected_app_call'
better_errors (2.1.1) lib/better_errors/middleware.rb:79:in `better_errors_call'
better_errors (2.1.1) lib/better_errors/middleware.rb:57:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
rollbar (1.5.3) lib/rollbar/middleware/rails/show_exceptions.rb:22:in `call_with_rollbar'
actionpack (4.2.3) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
railties (4.2.3) lib/rails/rack/logger.rb:38:in `call_app'
railties (4.2.3) lib/rails/rack/logger.rb:20:in `block in call'
activesupport (4.2.3) lib/active_support/tagged_logging.rb:68:in `block in tagged'
activesupport (4.2.3) lib/active_support/tagged_logging.rb:26:in `tagged'
activesupport (4.2.3) lib/active_support/tagged_logging.rb:68:in `tagged'
railties (4.2.3) lib/rails/rack/logger.rb:20:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/request_id.rb:21:in `call'
rack (1.6.4) lib/rack/methodoverride.rb:22:in `call'
rack (1.6.4) lib/rack/runtime.rb:18:in `call'
activesupport (4.2.3) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
rack (1.6.4) lib/rack/lock.rb:17:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/static.rb:116:in `call'
rack (1.6.4) lib/rack/sendfile.rb:113:in `call'
railties (4.2.3) lib/rails/engine.rb:518:in `call'
railties (4.2.3) lib/rails/application.rb:165:in `call'
rack (1.6.4) lib/rack/content_length.rb:15:in `call'
thin (1.6.4) lib/thin/connection.rb:86:in `block in pre_process'
thin (1.6.4) lib/thin/connection.rb:84:in `pre_process'
thin (1.6.4) lib/thin/connection.rb:53:in `process'
thin (1.6.4) lib/thin/connection.rb:39:in `receive_data'
eventmachine (1.0.8) lib/eventmachine.rb:193:in `run'
thin (1.6.4) lib/thin/backends/base.rb:73:in `start'
thin (1.6.4) lib/thin/server.rb:162:in `start'
rack (1.6.4) lib/rack/handler/thin.rb:19:in `run'
rack (1.6.4) lib/rack/server.rb:286:in `start'
railties (4.2.3) lib/rails/commands/server.rb:80:in `start'
railties (4.2.3) lib/rails/commands/commands_tasks.rb:80:in `block in server'
railties (4.2.3) lib/rails/commands/commands_tasks.rb:75:in `server'
railties (4.2.3) lib/rails/commands/commands_tasks.rb:39:in `run_command!'
railties (4.2.3) lib/rails/commands.rb:17:in `<top (required)>'
bin/rails:4:in `<main>'
在请求阶段在会话中设置的“omniauth.state”为 nil。
在oauth2.rb:
elsif !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
我尝试设置选项provider_ignores_state: true,但由于会话问题仍然存在问题。
我看到其他人提到域。我们甚至没有设置域,我坚信我们的域匹配。问题是,我们有一个应用程序重定向到另一个应用程序,然后该应用程序重定向到 Lightspeed auth。
我写这篇文章是为了帮助其他可能遇到类似情况的人,因为我昨天花了很多时间。
我们的域名不完全匹配,在修复了我们的 nginx 配置后,CSRF 错误不再出现!
然后我不断收到 redirect_uri 错误。
与此同时,我更新了我们的 gem(我知道这很愚蠢)。在omniauth-oauth2 1.4.0 中有一个breaking change。
将 gem 锁定到 1.3.1。
【问题讨论】:
【参考方案1】:我遇到了redirect_uri 无效的问题,已通过在config/initializers/omniauth.rb 中进行设置修复
provider :lightspeed,
"<CLIENT ID>",
"<CLIENT SECRET>",
scope: 'employee:all',
token_params: redirect_uri: "http://localhost:3000/auth/lightspeed/callback"
【讨论】:
以上是关于Lightspeed OAuth CSRF 和 redirect_uri 错误(红宝石)的主要内容,如果未能解决你的问题,请参考以下文章
CSRF 状态令牌与提供的 FB PHP SDK 3.1.1 Oauth 2.0 不匹配
在基于 OAuth2 的身份验证中,状态参数可以防止啥样的 CSRF 攻击?