Error when callback ?

[classicboy]

I am using this gem together with Devise for 'Sign in with Apple' feature from my web. Everything work fine when redirect to Apple Sign in page. But after succesful sign in, a callback to my web and error happen ( in local enviroment ).
I only can fix this error if add protect_from_forgery prepend: true, only: :apple to the top of OmniauthCallbacksController. But I dont think this is the right way to fix it.

[pablomarti]

I am getting exactly the same error.

[pablomarti]

Hey @classicboy check this out: #54 (comment) and https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284

[SwannG]

Hello everyone, I was getting an "Can't verify CSRF token authenticity" after Apple sign in page.
As said by @pablomarti I added the gem : https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 but now I'm getting an "ActionController::InvalidAuthenticityToken" just like you @classicboy. Did you managed to fix your issue ? Any idea on what's going on and how to fix it ?

[esellin]

See this interesting discussion from the Discourse guys trying to implement Apple SSO on their website.

The trouble is Apple using a POST for the final redirect. i created a dedicated controller in my Rails app to receive this POST request from Apple, on which I specifically disable all CSRF checks, and this controller just redirects to the standard OmniAuth callback URL like this:

    redirect_to "/users/auth/apple/callback?state=#{request.params["state"]}&code=#{request.params["code"]}"

From testing with Apple SSO on the Discourse website, it looks like this is what they are doing.

Hope this helps!

[SwannG]

@esellin thanks for the answer !

I finally managed to make it work by adding skip_before_action :verify_authenticity_token, only: :apple at the top of my omniauth_callbacks_controller.rb but after I was getting Can't verify CSRF token authenticity. and to fix it in config/initializers/session_store.rb I removed the domain: ...

[Meat-Chopper]

Is it possible to implement something like Discourse plugin solution https://github.com/discourse/discourse-apple-auth/blob/40ef076fa744d562ce54f3f30921a1b387e042fb/lib/omniauth_apple.rb#L60 in this gem?

[wilg]

@esellin Your solution worked for me, though I had to also pass through user to get the user name properly. However, once I added Sign In With Apple JS it stopped working and started failing with csrf_detected.

Anybody have ideas?

[rbarrera87]

Did you solve your issue @wilg?

[wilg]

I think I did get it working but can't look up the solution at this moment.

[rbarrera87]

No worries @wilg I will keep investigating, the thing is that I am working with a Rails API and the solution from @Meat-Chopper does not work for me. If I find the answer I will post it here.

[nov]

set SameSite=none on your cookie

[salzig]

Instead of opening up the session to potential security risks, we may merge #107 and allow the nonce to be stored in its own encypted cookie?