remove nonce comparison because session['omniauth.nonce'] is nil

[obregonia1]

I removed nonce comparison.
I failed authentification with omniauth-apple 1.3.0, and I found that session['omniauth.nonce'] is nil.
session['omniauth.nonce'] is assigned after called authorize_params, but authorize_params is never called.
In addition, session['omniauth.nonce'] is generated in application, and id_token[:nonce] is generated server in Apple.

ref #102
ref #103

[bvogel]

Rather then removing the nonce claim I opted to store it additionally in a sameSite: :none cookie which only lives during the authentication with apple stage:

module OmniAuth
  module Strategies
    class Apple < OmniAuth::Strategies::OAuth2
      private

      def new_nonce
        nonce = SecureRandom.urlsafe_base64(16)
        session["omniauth.nonce"] = nonce
        cookies.encrypted[:apple_auth_params] =
          { same_site: :none, expires: 1.hour.from_now, secure: true, value: nonce }
        nonce
      end

      def stored_nonce
        nonce = session.delete("omniauth.nonce") || cookies.encrypted[:apple_auth_params]
        cookies.delete :apple_auth_params
        nonce
      end

      def cookies
        request.env["action_dispatch.cookies"]
      end
    end
  end
end

add this monkey-patch to an initializer. The session will be a new one in most cases when the callback is invoked with a POST from the apple side.

[obregonia1]

@bvogel
LGTM!!
How about do you create PR with this solution? I close this PR, after your PR will be merged.

[bvogel]

@obregonia1 #107

[boyfunky]

i tried to add this to my initializer and i get this error @bvogel @obregonia1
(apple) Authentication failure! undefined method encrypted' for nil:NilClass: NoMethodError, undefined method encrypted' for nil:NilClass

This error is when it tries to run this line cookies.encrypted[:apple_auth_params] = { same_site: :none, expires: 1.hour.from_now, secure: true, value: nonce }

Has anyone experienced something similar?

[bvogel]

better try using the code from PR #107 - we currently run that in our production system. On the other hand a monkey patch like the one above shouldn't be executed during startup, it's just another class definition were only class name and methods are identified.

[obregonia1]

@bvogel
Thanks. Due to circumstances, we no longer need to use this library, so we are not using this change.

I hope discuss in #107 will be going in the right direction.

[sheuer]

i tried to add this to my initializer and i get this error @bvogel @obregonia1 (apple) Authentication failure! undefined method encrypted' for nil:NilClass: NoMethodError, undefined method encrypted' for nil:NilClass

This error is when it tries to run this line cookies.encrypted[:apple_auth_params] = { same_site: :none, expires: 1.hour.from_now, secure: true, value: nonce }

Has anyone experienced something similar?

I fixed this issue by swapping out

      def cookies
        request.env["action_dispatch.cookies"]
      end

to

      def cookies
        @_request ||= ActionDispatch::Request.new(request.env)
        @_request.cookie_jar
      end