Redirecting from external URL remaining authenticated

Hi I am struggling to achieve the flow that I would like. I have a form that a user submits and if successful I redirect the user to an external url to complete some actions.

This external url can POST back to my site via a web hook that I can validate and either do an action or just redirect the user to a page I want.

However the issue I am facing is that we lose the csrf_token or it become invalidated and it no longer has the current_user assigns.

How can I have it so the webhook triggers and the user returns to our site with valid csrf token and the current_user assigned?

I have no control to change the external webhook but I can validate it as being a genuine message from said source.

Could it be as simple as not redirecting a user after the form submits but opening a new tab instead?

All suggestions welcome

I’d suggest looking a the oauth2 flow. What you described sounds like 90% of the flow they use for external authentification.

Yes the flow is very similar but in that situation oauth provides the current_user when there isn’t already one.

I’m still non plussed as to what’s happening to the csrf token in my case.

I am essentially going from logged in user - > external url - > back 2 minutes later and I want the session to continue.

The session does continue if the user is making the http request from their browser.

Your issue is that it’s not the user making the http request, but the external server if I understood you correctly. That web hook http request essentially has no relationship with your user and even less with the browser window your user has open.

You either want that external page to redirect the user(s browser) back to your website or you’re better of embedding the external site e.g. in an iframe.

I’m still stuck on this - I understand what you were saying - I have instead tried to get my controller to open the external url as a new tab (not been able to so far. Adding target = _blank didn’t work) if I did that and then had the webhook post to an unauthenticated route without the csrf plug could that work?

Why not redirect the user to a personalized URL that automatically authenticates them? The URL could contain a one-time temporary token, for example. Of course, with this model, you have to trust the application behind the external URL to actually redirect your user to your custom URL.

But perhaps I’ve misunderstood your concern?

Can you help me walk this through a little bit more? This is my initial thought → When I direct the user to the external url I am able to dictate the url they are posted back to.

  1. Generate a 1 time token with a webhook context (in the user_token table)
  2. Set redirect url to
  3. user returns - check user_token table for the token & validate the webhook.
    4a. If i have both - redirect (if i do this to a :requires_authentication url will they have to log in or will it now work as they are coming from my domain and application?
    4b. If 3 fails → flush tokens (session and webhook) and send to homepage?

I’m just not confident this will work - will I not hit a csrf token error or session error trying to do this flow?

You can’t; if the browser attaches your session cookie with cross site posts then all hell breaks loose. Think about all the phishing sites / emails out there.

The best you can do is redirect and post again. I had a blog post on this: Pass data from site A to site B Basically, you let the user confirm the data again.

1 Like

I think this is essentially what I have mentioned in my last post BUT you’re saying you don’t need the webhook_token I spoke of. So long as the redirect comes from my app to my app all should be well?

Redirect from same domain will have the session cookie.

If you want to give the user a chance to double check the data, you don’t need to have a one time security token. If you want to make the process one click less; you could use a one time token to look up the user_id, so you don’t need the session cookie. However, then you really need to trust this 3rd party site not to forge the data.

1 Like