Ueberauth OAuth login is not workin because of Cross-Site-Request-Forgery

trutvo · August 3, 2021, 8:18am

Hi all,

I want to use Ueberauth for a project. So the first thing i did was to try out the ueberauth example repository:
https://github.com/ueberauth/ueberauth_example/

After configuration and starting the following thing is happening:

The redirect and the authentication with google is working fine. But when google calls the callback method the parameter ‘state’ is missing.
As fare as i understand, the parameter ‘state’ has to be in the authentication request call in the first place.
But this is not happening. If this parameter is missing Ueberauth reacts with an “Cross-Site-Request-Forgery” error.

I have no idea what i am doing wrong! Can some one help me?

This is what i did:

I registered a google OAuth client with the following callback url:

http://localhost:4000/auth/google/callback

I did all the steps described in the README

set the environment:

    export GOOGLE_CLIENT_ID=...
    export GOOGLE_CLIENT_SECRET=...

And start the phoenix app:

mix deps.get && npm install --prefix assets
mix phx.server

This are the software versions i used:

Erlang/OTP 24 [erts-12.0.3] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit] [dtrace]
Interactive Elixir (1.12.2) - press Ctrl+C to exit (type h() ENTER for help)

03juan · August 3, 2021, 12:31pm

Welcome to the community!

I just cloned and ran the example repo in the same way and got no errors.

Only code change was I removed the settings for the other strategies from the config and runtime files.

Are you running the latest repo code and deps? I came across the same issue not too long ago with ueberauth_microsoft and I think solved it by updating the deps.

For reference, I have:

oauth2  2.0.0
phoenix 1.5.9
ueberauth 0.7.0
ueberauth_google 0.10.1

running on

Erlang/OTP 24 [erts-12.0.3] [source] [64-bit] [smp:16:16] [ds:16:16:10] [async-threads:1] [jit]

Interactive Elixir (1.12.2) - press Ctrl+C to exit (type h() ENTER for help)

derek-zhou · August 3, 2021, 2:09pm

I don’t think it will work with localhost. I always use a real domain name with standard https.

03juan · August 3, 2021, 2:29pm

OAuth allows non-TLS localhost as an exception for development, otherwise the domain has to be fully-qualified and secured.

Using OAuth 2.0 for Web Server Applications | Google Identity

These endpoints must adhere to Google’s validation rules.

For testing, you can specify URIs that refer to the local machine, such as http://localhost:8080.

trutvo · August 3, 2021, 2:59pm

Thank you very much!

The upgrade to

ueberauth_google 0.10.1

was the solution.