Lightspeed OAuth CSRF和redirect_uri错误(拼音)

Question

因此，首先我们得到了一个CSRF错误，这是没有太大意义的。它在omniauth的回调阶段失败了。

Started GET "/auth/lightspeed" for 127.0.0.1 at 2015-12-02 14:48:32 +1100
I, [2015-12-02T14:48:32.949808 #32768]  INFO -- omniauth: (lightspeed) Request phase initiated.


Started GET "/auth/lightspeed/callback?code=b8cb8bcc6f741f2f919e3924e0dc3c648f67d129&state=457c2b3ab0917bdc88180edf1fdc8be63c1011b0a9939a7e" for 127.0.0.1 at 2015-12-02 14:48:44 +1100
I, [2015-12-02T14:48:44.254381 #32768]  INFO -- omniauth: (lightspeed) Callback phase initiated.
E, [2015-12-02T14:48:44.254727 #32768] ERROR -- omniauth: (lightspeed) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
E, [2015-12-02T14:48:44.255305 #32768] ERROR -- omniauth: (lightspeed) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
[Rollbar] Reporting exception: csrf_detected | CSRF detected
[Rollbar] Exception not reported because Rollbar is disabled

OmniAuth::Strategies::OAuth2::CallbackError - csrf_detected | CSRF detected:
  omniauth (1.2.2) lib/omniauth/failure_endpoint.rb:25:in `raise_out!'
  omniauth (1.2.2) lib/omniauth/failure_endpoint.rb:20:in `call'
  omniauth (1.2.2) lib/omniauth/failure_endpoint.rb:12:in `call'
  omniauth (1.2.2) lib/omniauth/strategy.rb:475:in `fail!'
  omniauth-oauth2 (1.3.1) lib/omniauth/strategies/oauth2.rb:75:in `callback_phase'
  omniauth (1.2.2) lib/omniauth/strategy.rb:227:in `callback_call'
  omniauth (1.2.2) lib/omniauth/strategy.rb:184:in `call!'
  omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.2.2) lib/omniauth/builder.rb:59:in `call'
  rack (1.6.4) lib/rack/etag.rb:24:in `call'
  rack (1.6.4) lib/rack/conditionalget.rb:25:in `call'
  rack (1.6.4) lib/rack/head.rb:13:in `call'
  actionpack (4.2.3) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  actionpack (4.2.3) lib/action_dispatch/middleware/flash.rb:260:in `call'
  rack (1.6.4) lib/rack/session/abstract/id.rb:225:in `context'
  rack (1.6.4) lib/rack/session/abstract/id.rb:220:in `call'
  actionpack (4.2.3) lib/action_dispatch/middleware/cookies.rb:560:in `call'
  activerecord (4.2.3) lib/active_record/query_cache.rb:36:in `call'
  activerecord (4.2.3) lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in `call'
  activerecord (4.2.3) lib/active_record/migration.rb:377:in `call'
  actionpack (4.2.3) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
  activesupport (4.2.3) lib/active_support/callbacks.rb:84:in `run_callbacks'
  actionpack (4.2.3) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (4.2.3) lib/action_dispatch/middleware/reloader.rb:73:in `call'
  actionpack (4.2.3) lib/action_dispatch/middleware/remote_ip.rb:78:in `call'
  rollbar (1.5.3) lib/rollbar/middleware/rails/rollbar.rb:24:in `block in call'
  rollbar (1.5.3) lib/rollbar.rb:799:in `scoped'
  rollbar (1.5.3) lib/rollbar/middleware/rails/rollbar.rb:22:in `call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:84:in `protected_app_call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:79:in `better_errors_call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:57:in `call'
  actionpack (4.2.3) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  rollbar (1.5.3) lib/rollbar/middleware/rails/show_exceptions.rb:22:in `call_with_rollbar'
  actionpack (4.2.3) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties (4.2.3) lib/rails/rack/logger.rb:38:in `call_app'
  railties (4.2.3) lib/rails/rack/logger.rb:20:in `block in call'
  activesupport (4.2.3) lib/active_support/tagged_logging.rb:68:in `block in tagged'
  activesupport (4.2.3) lib/active_support/tagged_logging.rb:26:in `tagged'
  activesupport (4.2.3) lib/active_support/tagged_logging.rb:68:in `tagged'
  railties (4.2.3) lib/rails/rack/logger.rb:20:in `call'
  actionpack (4.2.3) lib/action_dispatch/middleware/request_id.rb:21:in `call'
  rack (1.6.4) lib/rack/methodoverride.rb:22:in `call'
  rack (1.6.4) lib/rack/runtime.rb:18:in `call'
  activesupport (4.2.3) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
  rack (1.6.4) lib/rack/lock.rb:17:in `call'
  actionpack (4.2.3) lib/action_dispatch/middleware/static.rb:116:in `call'
  rack (1.6.4) lib/rack/sendfile.rb:113:in `call'
  railties (4.2.3) lib/rails/engine.rb:518:in `call'
  railties (4.2.3) lib/rails/application.rb:165:in `call'
  rack (1.6.4) lib/rack/content_length.rb:15:in `call'
  thin (1.6.4) lib/thin/connection.rb:86:in `block in pre_process'
  thin (1.6.4) lib/thin/connection.rb:84:in `pre_process'
  thin (1.6.4) lib/thin/connection.rb:53:in `process'
  thin (1.6.4) lib/thin/connection.rb:39:in `receive_data'
  eventmachine (1.0.8) lib/eventmachine.rb:193:in `run'
  thin (1.6.4) lib/thin/backends/base.rb:73:in `start'
  thin (1.6.4) lib/thin/server.rb:162:in `start'
  rack (1.6.4) lib/rack/handler/thin.rb:19:in `run'
  rack (1.6.4) lib/rack/server.rb:286:in `start'
  railties (4.2.3) lib/rails/commands/server.rb:80:in `start'
  railties (4.2.3) lib/rails/commands/commands_tasks.rb:80:in `block in server'
  railties (4.2.3) lib/rails/commands/commands_tasks.rb:75:in `server'
  railties (4.2.3) lib/rails/commands/commands_tasks.rb:39:in `run_command!'
  railties (4.2.3) lib/rails/commands.rb:17:in `<top (required)>'
  bin/rails:4:in `<main>'

在请求阶段在会话中设置的'omniauth.state‘为空。

在oauth2.rb中

elsif !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))

我尝试设置选项provider_ignores_state: true，但由于会话的原因，仍然有很多问题。

我看到其他人提到了域。我们甚至没有设置域名，我坚持认为我们的域名是匹配的。问题是，我们有一个应用程序重定向到另一个应用程序，然后重定向到Lightspeed身份验证。

我写这篇文章是为了帮助其他可能发现自己处于类似情况的人，因为我昨天花了很多时间在这上面。

我们的域名不完全匹配，并且在修复我们的nginx配置后，CSRF错误不再出现！

然后我一直收到一个redirect_uri错误。

在此期间，我更新了我们的gem(我知道这很愚蠢)。omniauth-oauth2 1.4.0中有一个breaking change。

已将gem锁定为1.3.1。

Answer 1

我遇到了一个通过在config/initializers/omniauth.rb中进行设置来修复无效redirect_uri的问题

provider :lightspeed,
  "<CLIENT ID>",
  "<CLIENT SECRET>",
  scope: 'employee:all',
  token_params: { redirect_uri: "http://localhost:3000/auth/lightspeed/callback" }