auth0 / omniauth-auth0 Goto Github PK

Hi!

I'm on a situation where I have both a login and signup in my home page. I cannot find a way to redirect to auth0 with signup page as the initial screen, it will always show login instead.

I see javascript have some options in which you can set the initial screen, but I cannot find the equivalent to this using this gem.

Is there any way I can redirect my users to the signup screen when they click signup?

Thanks a lot!

App in heroku is down it gives an error
.We're sorry, but something went wrong.

If you are the application owner check the logs for more information.

Devise support might be integrated in this gem or in a separate one. Find out which is best.

Hi there,

your example app, in addition to the example app offered for download have the following line:

If you want to build a Ruby On Rails API that will be used with a SPA or a Mobile device, please check this other seed project

However, the link provided does not exist. Is there an api app example?

Otherwise I suggest modifying this line, at least remove the link to avoid confusion.

Description

We're using omniauth-auth0 gem in a sinatra application, when the gem redirects to auth0 for authenticating a user it sends a parameter for callback_uri, by default it's /auth/auth0/callback.

Our service will be served under a path prefix, meaning all paths will have a fixed prefix "/service-name/" so we'll need to specify this callback_uri parameter.

With the current implementation the user will be redirected back to /auth/auth0/callback which doesn't hit the service in the first place, as /auth doesn't start with the service prefix so it won't map to it.

I tried to search for a way in the past couple days related to omniauth or omniauth-auth0 but failed to find any thing that works.

Environment

• Sinatra
• Omniauth (1.9.1)
• Omniauth-auth0 (2.3.1)

I'm hitting an issue where omniauth works in dev mode but not in production using passenger. Under passenger, I am redirected correctly by my app to /auth/auth0 (as I use the auth0 provider) but then get an error from nginx that that url doesn't exist. This is my omniauth config:

configure do
  set :sessions, true
  set :session_secret, (ENV['SESSION_SECRET'].to_s == '' ? SecureRandom.base64 : ENV['SESSION_SECRET'])

  OmniAuth.configure do |config|
    # Always use /auth/failure in any environment
    config.failure_raise_out_environments = []
  end

  use OmniAuth::Builder do
    provider :auth0, ENV['AUTH0_CLIENT_ID'], ENV['AUTH0_CLIENT_SECRET'], ENV['AUTH0_DOMAIN']
  end
end

I've ran this to show my routes:

require_relative 'main' # my sinatra app

Sinatra::Application.routes["GET"].each do |route|
  puts route[0]
end

but that shows only these auth-related routes, even in my development environment:

(?-mix:\A\/auth\/([^\/?#]+)\/callback\z)
(?-mix:\A\/auth\/failure\z)
(?-mix:\A\/auth\/logout\z)

but these are all mine, I was expecting /auth/auth0 (or a regex matching it) to be listed too.

In order to handle SSO authentication, we must perform silent authentication. To do that, the docs point to add a prompt=none to the authorization path.

There is no way to do that dinamically. I can perform silent authentication If I add this to initializers/auth0.rb:

authorize_params: {
	scope: 'openid',
	prompt: 'none'
}

But this will try to perform silent authentication always, and if the user is not logged in then a redirection to the failure callback will be fire.

I need a way to add the prompt param dinamically, so if a user is not logged in I can redirect him to the Auth0 login page. Is that possible?

In optinal step:
In case of failure, you may want to get the description of the error. For that, in your "config/production.rb"

add the following:

and the route of the file must be "config/environment/production.rb"

After updating from rails 6.0.6 to 6.1.7 I'm getting this error, configuration is the same as before and like described per current documentation, any idea what might be a problem?
Ruby 3.0.5

Hey guys, in that file https://github.com/auth0/omniauth-auth0/blob/master/lib/omniauth-auth0/version.rb, you are bumping the version of the Auth0, not the OmniAuth0, thus when both gems are used it generates a warning.

Apparently it's being ignored: https://github.com/auth0/omniauth-auth0/blob/master/lib/omniauth/strategies/auth0.rb#L42-L48

For comparison, this is how it's handled in omniauth-oauth2: https://github.com/intridea/omniauth-oauth2/blob/9a2617f65ddf85a31f2aa9325089df2ddbf9d613/lib/omniauth/strategies/oauth2.rb#L41-L46

Hello, maintainer of OmniAuth here.

I just wanted to make the maintainers of this gem aware of the discussion that I have opened regarding v2.0.0 of OmniAuth. I invite you to join in and voice any concerns you may have here: omniauth/omniauth#1017

After bundle update...

Fetching jwt 1.5.6 (was 2.1.0)
Installing jwt 1.5.6 (was 2.1.0)
Fetching faraday 0.12.2 (was 0.13.1)
Installing faraday 0.12.2 (was 0.13.1)
Fetching mime-types 2.99.3 (was 3.1)
Installing mime-types 2.99.3 (was 3.1)
Fetching rest-client 1.8.0 (was 2.0.2)
Installing rest-client 1.8.0 (was 2.0.2)

License should have the current approved contents.

Hi, I'm using this ruby gem in conjunction with Auth0 lock widget for authentication.
Gem is configured as

    provider(
        :auth0,
        auth0_config['client_id'],
        auth0_config['client_secret'],
        auth0_config['domain'],
        {
          callback_path: '/auth/auth0/callback',
          authorize_params: {
            scope: 'openid'
          }
        }
    )

The auth0_config is a hash with the auth0 configuration in my application.
Once i successfully log in, from the rails side i can see the omniauth.auth request variable. but this is of the kind of.

I omitted the non relevant pieces. I have an id token, but the access_token, which i believe to be the "token" in the hash is not a jwt token.

How can i get a JWT token i can use for authentication ?

In the Rails login tutorial here, a SessionHelper module is defined with a get_state method. This module looks like:

# app/helpers/session_helper.rb

module SessionHelper
  def get_state
    state = SecureRandom.hex(24)
    session['omniauth.state'] = state

    state
  end
end

I'm just curious what is responsible for calling this method? Does gem use this method or does another omniauth gem use this method? Just want to follow understand how this code is being used. Thanks!

Description

When a session is initiated from an IdP, for e.g. configured like an Okta app, the callback phase with code type seem to be failing in verify_nonce.

Reproduction

• Setup an external IdP provider
• Setup external IdP as a SAML connection
• redirect type as code
• Setup an Okta like browser plugin for initiating session
• Error comes up from verify_nonce in callback

Environment

• master branch
• Ruby on Rails version 4.2.11
• Using along with devise

sample project on dashboard have error about undefined Auth0Lock

Does this gem support the passwordless sms connection? Everything works fine with the username password connection. However, when I try to force SMS connections through ?connection=sms I get redirected to https://login.auth0.com/lo/wsfed with the error message Cannot GET /wsfed.

Describe the problem

Unable to pass prompt values to configure New Universal Login when using omniauth-rails_csrf_protection
. The readme suggests passing these as query params when redirecting the user to Auth0, but when using the csrf protection gem, I'm using a POST request rather than a redirect.

What was the expected behavior?

I expect that I can pass prompt: { login: { description: 'Login to <OUR APPLICATION>' } } and see the New Universal Login reflect that copy change.

Reproduction

I've set the prompt key in the OmniAuth configuration as well as the query params for the POST request.

OmniAuth config

1. Set the prompt argument when configuring OmniAuth.
2. Attempt login and see the New Universal Login unchanged from its default.

Query String

1. Set the params for the link generated for login within railse. i.e. <%= link_to 'Login', '/auth/auth0', params: { <PROMPT CONFIG> }, method: :post %>
2. Attempt login and see the New Universal Login unchanged from its default.

Environment

• Version of this library used: 2.4.1
• Which framework are you using, if applicable: Rails 5
• Other modules/plugins/libraries that might be involved: omniauth-rails_csrf_protection
  
• Any other relevant information you think would be useful:

It's missing the instruction bundle install

Describe the problem

When adding scopes they aren't being included in the JWT. Oddly, some appear to work and others don't. For example, the scopes 'openid email profile offline_access' all pass fine, but if I add a scope like "read:stats" or "read:users" it doesn't appear in the JWT. And these scopes that arent being added to the JWT are listed under permissions in both Auth0 Management API and my custom localhost api.

What was the expected behavior?

For the scope to be included in the JWT.

Reproduction

Here is my builder.

  use OmniAuth::Builder do
    provider(
      :auth0,
      ENV['AUTH0_ADMIN_CLIENT_ID'],
      ENV['AUTH0_ADMIN_CLIENT_SECRET'],
      ENV['AUTH0_DOMAIN'],
      name: 'admin_auth',
      origin_param: false,
      callback_path: '/admin/callback',
      authorize_params: {
        scope: 'openid read:users email profile offline_access',
        audience: ENV.fetch('AUTH0_AUDIENCE') { 'http://localhost:3500' },
      }
    )
  end

Environment

• Version of this library used:

   omniauth (2.1.0)
      hashie (>= 3.4.6)
      rack (>= 2.2.3)
      rack-protection
    omniauth-auth0 (3.0.0)
      omniauth (~> 2.0)
      omniauth-oauth2 (~> 1.7)
    omniauth-oauth2 (1.7.2)
      oauth2 (~> 1.4)
      omniauth (>= 1.9, < 3)

• Which framework are you using, if applicable: Sinatra
• Other modules/plugins/libraries that might be involved: N/a
• Any other relevant information you think would be useful:

Description

I found a thread in forum about the same issue with no resolution: https://community.auth0.com/t/twitter-nickname-is-not-the-same-as-screen-name/17297

Unlike every other social login provider, Twitter strategy returns request.env['omniauth.auth']['info']['nickname'] value which is NOT the user's Twitter handle.

The workaround of adding this rule in Auth0 dashboard does work:

function (user, context, callback) {
  // Put the user's screen_name as the nickname
  // for Twitter connections
  if (context.connection === 'twitter' && user.screen_name) {
    user.nickname = user.screen_name;
  }
  callback(null, user, context);
}

Prerequisites

• I have read the Auth0 contribution guidelines
• I have read the Auth0 Code of Conduct
• Did you check the documentation?
• Did you check Auth0 Community?
• Are you reporting this to the correct repository? This strategy relies on OmniAuth and the OmniAuth OAuth2 strategy.
• Are there any related or duplicate Issues or PRs for this issue?

Environment

• OmniAuth-Auth0 version: 2.2.0
• Ruby version: 2.6.3
• Rails veresion: 5.2.3

Using omniauth-auth0 v2.0.0 but otherwise following the Rails 5 guides in the docs leads to a csrf_detected error coming out of omniauth.

provider_ignores_state = true used to be set in the provider by default. This was removed in v2.0.0. Setting this explicitly avoids the CSRF detected error but it doesn't seem like a good idea.

Is there another suggested implementation to avoid setting provider_ignores_state = true?

Hi there,

I'm trying to implement omniauth-auth0 as a provider in our rails 4 app. I'm using the Auth0 lock widget in a modal to initiate the login process.

We use devise and omniauth and already successfully implement various providers like google, facebook and linkedin. I used a similar implementation to the one described here: #6

For some reason, the omniauth-auth0 gem is generating a badly formed request to extract the access token from the authorization code and exchange it for the id token as described here: https://auth0.com/docs/client-auth/server-side-web#exhange-the-access_code-for-an-id_token

Here is an example trace of the request and response:

[www] [7ae2968b-XXXXX] [127.0.0.1] [USER: Unknown] [SESS: ecb26e0256aXXXXXX] Started GET "/accounts/auth/auth0/callback?code=XLbDDKKXXXXXX" for 127.0.0.1 at 2017-02-15 19:04:24 -0700
I, [2017-02-15T19:04:24.070708 #70029]  INFO -- omniauth: (auth0) Callback phase initiated.
E, [2017-02-15T19:04:24.845973 #70029] ERROR -- omniauth: (auth0) Authentication failure! invalid_credentials: OAuth2::Error, access_denied: Unauthorized
{"error":"access_denied","error_description":"Unauthorized"}

I can do this exchange myself in the terminal via a curl and it works fine. See below.

$ curl --request POST \
>   --url 'https://warmlyyours.auth0.com/oauth/token' \
>   --header 'content-type: application/json' \
>   --data '{"grant_type":"authorization_code","client_id": "zNZjT4aNDl24XXXXXXXX","client_secret": "AjGbpSc3XXXXXXXXXXX","code": "RTE6dqvXXXXXXX","redirect_uri": "https://www.x.me:3000/accounts/auth/auth0/callback"}'
{"access_token":"Wc7K8mXXXXXX","expires_in":86400,"id_token":"eyJ0eXAiOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","token_type":"Bearer"} 

Below are example log traces left in the Auth0 dashboard, the pattern is a failed exchange immediately following a successful login.

Summary
Occurred	15 hours ago at 2017-02-16 02:04:24.853 UTC
Type	**Failed Exchange**
Description	Unauthorized
Connection	
Application	zNZjT4aNDl24XXXXXXXX
User	

Raw
{
  "date": "2017-02-16T02:04:24.853Z",
  "type": "feacft",
  "description": "Unauthorized",
  "connection_id": "",
  "client_id": "zNZjT4aNDl24XXXXXXXX",
  "client_name": null,
  "ip": "73.14.174.238",
  "user_agent": "Faraday v0.9.2",
  "user_id": "",
  "user_name": ""
}

Summary
Occurred	15 hours ago at 2017-02-16 02:04:23.974 UTC
Type	**Success Login**
Description	
Connection	Username-Password-Authentication
Application	XYZzNZjT4aNDl24XXXXXXXX
User	[email protected]

Raw
{
  "date": "2017-02-16T02:04:23.974Z",
  "type": "s",
  "connection": "XYZ",
  "connection_id": "con_XYZ",
  "client_id": "zNZjT4aNDl24XXXXXXXX",
  "client_name": "XYZ",
  "ip": "73.14.X.Y",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
  "details": {
    "stats": {
      "loginsCount": 24
    }
  },
  "user_id": "auth0|XYZ",
  "user_name": "[email protected]",
  "strategy": "auth0",
  "strategy_type": "database"
}

Any help would be appreciated!

Regards,
Ramie

Describe the problem you'd like to have solved

I've started using Auth0 for SSO with a Rails client app and I'm having issues with the fact that once any of my users' Auth0 sessions have expired there's no way for me to know that so I can also destroy their session in the client app.

Describe the ideal solution

Once the user's Auth0 session expires, a POST request is sent from Auth0 to the client Rails app, securely, that a specific user's session has expired.

E.g. suppose that we could generate a secret API key on a client application, similar to the way keys are generated by Auth0 so that client application could be authorize, but it's the other way around- Auth0 would have to authenticate itself to the client application when sending a request and the client application has to verify that request in order for it to be handled.

Alternatives and current work-arounds

N/A

Additional information, if any

N/A

Instead of calling /userinfo, decode the id_token (if openid was included as the scope)

Describe the problem you'd like to have solved

We'd like to redirect the user to the Auth0 login page from a GET request, it would be nice if we could reuse omniauth-auth0's logic for generating an appropriate URL.

Describe the ideal solution

A method that can be used to generate an appropriate Auth0 URL for the login page.

Alternatives and current work-arounds

Figuring out the logic to generate the URL ourselves, but since it's been solved by this gem already it would be nice to be able to reuse that logic.

It's also possible to use the repost gem to simulate a redirect to POST /auth/auth0, but that's not ideal.

Additional information, if any

There is an existing similar issue, but it was closed without providing a complete solution #105.

I have an app where I'm moving from lock based authentication to the Auth0 Universal Login approach. On this process I updated omniauth-auth0 from version 1.0 to 2.2 and started to have this problem when trying to logging in:

Environment:

rails 5.1.1
ruby 2.4.1

Any thoughts of how can I handle this?

Missing Login Info

Description

I'm currently integrating omniauth SSO to an existing Devise based application. (Devise + omniauth + omniauth-auth0). After a little experimentation I was able to get auth working, but don't receive any of the metadata I would expect... instead I get:

#<OmniAuth::AuthHash::InfoHash email=nil image=nil name="github|<USER_ID>" nickname=nil>

in the info hash. Is there a quick fix/known behavior for this issue?

Prerequisites

I checked around and saw no issues/fixes/PRs to match

Environment

Please provide the following:

• OmniAuth-Auth0 version: 2.0.0
• Ruby version: 2.3.1
• Rails version: 5.0.2
• Browser version, if applicable:
• Additional gems that might be affecting your instance:
  aasm
  activerecord-import
  activerecord-postgis-adapter
  angular_rails_csrf
  aws-sdk (>= 2.0.34)
  better_errors
  bootstrap (> 4.0.0.alpha6)
  bower-rails (> 0.11.0)
  byebug (> 10.0.0)
  capybara
  coffee-rails (> 4.2)
  config
  database_cleaner
  debase (> 0.2.1)
  devise (= 4.3.0)
  factory_girl_rails
  faker
  freyr_client!
  gis_tools!
  haml-rails
  image_tools!
  jbuilder (> 2.5)
  jquery-rails
  listen (> 3.0.5)
  newrelic_rpm (>= 3.6)
  ngannotate-rails
  omniauth (> 1.6.1)
  omniauth-auth0 (> 2.0.0)
  paperclip!
  parallelize
  passenger (>= 5.0.25)
  pg
  pundit
  rails (> 5.0.1)
  rails-controller-testing
  rails_admin
  rails_admin_pundit!
  rbtrace
  redis
  redis-lock
  redis-namespace
  redis-objects
  redis-rails
  redis-store
  restangular-rails!
  rgeo (>= 0.5.2)
  rgeo-geojson
  rmagick
  rspec-rails
  ruby-debug-ide (> 0.6.0)
  ruby-opencv (= 0.0.17)
  sass-rails (> 5.0)
  sidekiq (= 4.0)
  sidekiq-failures
  sidekiq-scheduler
  sidekiq-unique-jobs
  simplecov
  sinatra (= 2.0.0.beta2)
  slim (= 2.0.1)
  spring
  spring-watcher-listen (> 2.0.0)
  sqlite3
  turbolinks (> 5)
  typhoeus
  tzinfo-data
  uglifier (>= 1.3.0)
  web-console (>= 3.3.0)

Reproduction

I never get details on login, only the uid of the user. Every attempted login on any provider is a reproduction of this issue. I do not have an isolated test case.

It seems to do the same thing for any provider. ( EX: google-oauth2|USER_ID is all that comes in for the google provider )

Logs

Logs indicate a successful auth, but themselves have some empty fields.

{
  "date": "2018-12-18T18:46:29.380Z",
  "type": "seacft",
  "description": "",
  "connection_id": "",
  "client_id": "4Ac7g6azJYRJd7FyEjLWk0cnNVaFGNFX",
  "client_name": "client-portal",
  "ip": "REDACTED",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "hostname": "REDACTED",
  "user_id": "",
  "user_name": "",
  "log_id": "90020181218184629380777407631495898728224680782653942003",
  "isMobile": false
}

Settings

In my devise config:

  config.omniauth :auth0, ENV['AUTH0_CLIENT_ID'],
    ENV['AUTH0_CLIENT_SECRET'],
    ENV['AUTH0_HOST'],
    {
      authorize_params: {
        scope: 'openid read:users',
        audience: '<audience URL>'
      },
      provider_ignores_state: true,
      callback_path: '/authenticate'
    }

I'm examining the incoming auth inside my self.from_omniauth(auth) implementation.

Thanks for looking,
-abbey

Description

Most of our users are reporting no issues, but occasionally we are seeing users hit CSRF detected errors. We even had a developer hit one locally.

Reproduction

One nuance of our setup is that the entire app is behind a login wall, so we have a concern that automatically redirects to auth0 login if the user is not already logged in.

That code looks like this:

module Authentication
  extend ActiveSupport::Concern

  included do
    before_action :authenticate!
  end

  def authenticate!
    authenticated_user = User.includes(:roles).find_by(id: session[:user_id])
    if authenticated_user.nil?
      redirect_to "/auth/auth0"
    else
      Current.user = authenticated_user
    end
  end

The error looks like this in development:

Unfortunately, we're having a lot of trouble reproducing it. My colleagues have shown it to me when it's happened and I see it coming into Sentry (our error reporter), but they didn't seem to do anything differently.

The strange thing is that usually they insist they were already signed in on a previous session and logically shouldn't have even been needing to go through the auth0 flow.

• Visit site
• Get prompted with login again (even though they weren't signed out)
• Submit credentials
• Receive CSRF detected error page (which we render for the omniauth failure callback)
• If they then just type in the URL of the app again, they're signed in and everything's working

Environment

• Version of this library used: 4.9.0
• Version of the platform or framework used, if applicable: Rails 5.2.3
• Other relevant versions (language, server software, OS, browser): English, Heroku, Linux, Chrome
• Other modules/plugins/libraries that might be involved: [email protected]. We do not have the omniauth-rails_csrf_protection because of our redirect strategy (redirects don't allow POST) but maybe this is the issue?

We are aware of a vulnerability in the parent OmniAuth library that this strategy relies on. This was reported over 4 years ago in this PR but no fix has been released yet. It just recently came to our attention (and others) when our dependency scanner started pinging us about CVE-2015-9284.

In summary, the vulnerability allows an attacker to link an external identity provider to a user signed into the application using OmniAuth if certain conditions apply. This request forgery requires having 2 or more allowed identity sources for the application and can affect both Ruby-only and Rails-enabled applications. Even if you are only using the Auth0 strategy, specific providers can be indicated in a connection parameter on the auth URL like so:

https://yourapp.com/auth/auth0?connection=google-oauth2

This will limit the authentication request to a single connection, in this example case the Google social connection, and return to the application with a valid ID token. Default behavior for an application using our quickstart is to log the user in with this new ID token. If your application does any kind of account linking then this could create a situation where an attacker's Google account could be associated with the user account for the application by just visiting a URL. Again, this would require no-action account linking to be implemented in your application and the user to be logged into an attacker's account on an external identity provider used by the application.

The OmniAuth community has since published a mitigation draft document that walks through how to secure an app with this vulnerability in place, both for Ruby and Rails-enabled applications. The main mitigation presented there is to POST to the auth URL so a CSRF token can be used and direct links could not start the auth process. Other considerations:

• Issue a warning before redirecting logged-in users that they are about to start a new auth session.
• Display a clear message before linking accounts, like "Are you sure you want to link your account for [email protected] with [email protected]?"

In the meantime, we have one of two options for this library:

1. Wait for the parent library to address the issue. While the issue has been around for several years, there has been a lot of recent discussion. This will hopefully lead to a fix (even if it requires a major release).
2. Switch this library to be Rails-only and switch to omniauth-rails once this PR is merged.

Taking route 1 would mean that we're waiting for an indeterminate time before this is fixed (which is fine if mitigations can be put in place but there's no way to contact everyone using this library). Taking route 2 means that Ruby-only applications do not have a good authentication solution (the Ruby SDK has the endpoints needed but does not handle callbacks, session, state, etc).

We appreciate any feedback that you have. In the meantime, we'll be weighing the two options above, looking for additional ways to address this, and answering any questions you might have. We'll leave this open until a fix is in place, one way or another.

Describe the problem

After following the setup instructions for Rails and adding the button. The button does nothing. Note that I have a fully functional rails 5 application that works just fine with exact same code. May be the documentation needs to reflect this?

<%= button_to 'Login', '/auth/auth0', method: :post %>

However this works just fine:

<%= button_to "Login", "/auth/auth0", method: :post, data: { turbo: false } %>

What was the expected behavior?

Expected to redirect to Auth0 Login page

Where possible, please include:
Without turbo:false all I get in logs is:

web    | Started POST "/auth/auth0" for ::1 at 2022-11-21 22:58:24 -0500
web    | D, [2022-11-21T22:58:24.501212 #45225] DEBUG -- omniauth: (auth0) Request phase initiated.

Environment

• Version of this library used: Latest
• Which framework are you using, if applicable: Rails 7

Splitting this off from #48 by @coros-sanborn.

We used to get the app_metadata back which included the roles:
data[:extra][:raw_info][:app_metadata][:myAppName][:roles]

Since you want to use Lock and you need to use v11 going forward, I think your best bet in this case is a custom claim for the ID token. Here is the Rules code you're looking for, modified from here:

function (user, context, callback) {
  const namespace = 'https://myapp.example.com/';
  context.idToken[namespace + 'app_metadata'] = user.app_metadata;
  callback(null, user, context);
}

One thing to note ... some browsers have a problem with the cross-browser authentication that Lock 11 does. To fix this, you'll need a custom domain setup for your tenant.

The universal login (which is v9) should at least work and return the same information as embedded lock v9 - which it does not (since I no longer get the app_metadata).

The actual version of Lock is less relevant than the API endpoints it uses. I wouldn't really even consider how the Lock widget on the universal page works since it behaves differently when it's located there. As you've said, that doesn't return the app_metadata either.

To be clear, I'm only looking at the universal login as a last resort.

Understood. That said, our recommendation stands to use a redirect to the universal login page with a web app like one built on Rails.

I have a rails 4 app that had the embedded login page with lock 9. It worked fine for years. It stopped working in the last couple weeks because lock 9 was deprecated. As soon as I upgraded to lock 11 the page will no longer redirect, even if the user is authenticated.

I'm clear on the missing app_metadata but can you clarify what you mean by "As soon as I upgraded to lock 11 the page will no longer redirect"?

This is the problem that I and many others are having and we really need a resolution.

That's what I'm here for :)

If lock 9 worked then upgrading to lock 11 should work, maybe with a few tweaks, but the entire app should not fail.

I agree. I think that's a shortcoming in our migration guide, to be honest. The new authentication endpoints only provide OIDC conformant fields and app_metadata is not one of them.

And to add to the challenge there is not any documentation on how to configure the embedded login with Rails. The quickstart example is only for using the universal login page.

That was intentional, RE: our recommendation to use the universal login page.

After the rails steps, got SSL error. Need to add ssl_fix by default as described here

allow to log response easily

eg. if AUTH_DEBUG env variable is set
log the response

@hzalaz ~18mo since last commit. Is auth0 dropping support?

oauth2 - has new maintainers and v2.0 is on the way soon https://github.com/oauth-xx/oauth2/issues/307#issuecomment-370920888

Describe the problem you'd like to have solved

In an application using Turbo (and I assume its predecessor Turbolinks), form submissions will be transformed into XHR / fetch requests that trigger a CORS request. This is not valid for the login action.

Other users have experienced the same problem.

Describe the ideal solution

Update the docs (and quick start guide?) to mention this. Specifically for Turbo, you can disable the behavior via:

button_to 'Login', 'auth/auth0', method: :post, data: { turbo: 'false' }
#                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^

I am trying to setup like so:

AUTH0_SETUP = lambda do |env|
  req = Rack::Request.new(env)

  namespace = 'foobar.auth0.com'
  site = "https://#{namespace}"
  client_info_querystring = "..."

  env['omniauth.strategy'].options[:client_id] = 'some-id'
  env['omniauth.strategy'].options[:client_secret] = 'some-secret'
  env['omniauth.strategy'].options[:namespace] = namespace
  env['omniauth.strategy'].options[:provider_ignores_state] = { callback_path: "/auth/auth0/callback" }
  env['omniauth.strategy'].options[:client_options]
    .merge!(site: site,
      authorize_url: "#{site}/authorize?#{client_info_querystring}",
      token_url: "#{site}/oauth/token?#{client_info_querystring}",
      userinfo_url: "#{site}/userinfo")
end

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :auth0, setup: AUTH0_SETUP
end

but this does not work because OmniAuth::Strategies::Auth0::initialize depends on args
and has a check on argument

fail(ArgumentError.new("Received wrong number of arguments. #{args.inspect}")) if @options[: namespace].nil?

but in case of setup args will be [{setup: <Proc>}] and will not have the namespace it needs

other Omniauth strategies like facebook use the option class method to configure it
and do not use the initialize method

https://auth0.com/docs/quickstart/webapp/rails
step 5. Triggering login manually or integrating the Auth0Lock

when I try the Tutorial and I select custon UI view this is how it says in the tutotial it should look

Using the code this is how it looks on my localhost

In the code I don't see any buttons for facebokk or the text "Use a Social or Enterprise connection"
so I think that something is updated, the picture or the code..

Hi

I have been following the tutorial for using Auth0 with Rails here https://auth0.com/docs/quickstart/webapp/rails/01-login

The issue I have is that most Rails applications (and ours is one of them) , if I hit a URL that needs a login, it will redirect me to the login screen, and then upon successful authentication continue on it’s merry journey.

I haven’t found anything in the documentation about how to do that redirect?

I have had to construct a URL myself … that seems to work … but it’s been a bit of trial and error and I would have thought that there was a better Rails way.

state = SecureRandom.hex
session['omniauth.state'] =  state
callback_url = auth_auth0_callback_url
url = "https://#{ApplicationConfig::Auth0::DOMAIN}/authorize?response_type=code&client_id=#{ApplicationConfig::Auth0::CLIENT_ID}&redirect_uri=#{callback_url}&state=#{state}&scope=openid profile email"

So is there a better way of doing this?

Cheers
Shane

My rails app integrated with Auth0 with no issue, however, when I upgraded omniauth-auth0 from 1.4.2 to ~> 2.0.0 it forced me to upgrade omniauth-oauth2 from 1.3.1 to ~> 1.4

then, after upgrading, I started getting this error after social login with Lock 11:

Could not find a valid mapping for path "/auth/oauth2/callback"

My code base has not been touched, I only upgraded the gems.

Full trace:

devise (4.3.0) lib/devise/mapping.rb:49:in `find_by_path!'
devise (4.3.0) lib/devise/omniauth.rb:17:in `block in <top (required)>'
omniauth (1.6.1) lib/omniauth/strategy.rb:478:in `call'
omniauth (1.6.1) lib/omniauth/strategy.rb:478:in `fail!'
omniauth-oauth2 (1.4.0) lib/omniauth/strategies/oauth2.rb:71:in `callback_phase'
omniauth (1.6.1) lib/omniauth/strategy.rb:230:in `callback_call'
omniauth (1.6.1) lib/omniauth/strategy.rb:187:in `call!'
omniauth (1.6.1) lib/omniauth/strategy.rb:167:in `call'
omniauth (1.6.1) lib/omniauth/builder.rb:63:in `call'
rack (1.6.9) lib/rack/deflater.rb:35:in `call'
warden (1.2.7) lib/warden/manager.rb:36:in `block in call'
warden (1.2.7) lib/warden/manager.rb:35:in `catch'
warden (1.2.7) lib/warden/manager.rb:35:in `call'
rack (1.6.9) lib/rack/etag.rb:24:in `call'
rack (1.6.9) lib/rack/conditionalget.rb:25:in `call'
rack (1.6.9) lib/rack/head.rb:13:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/flash.rb:260:in `call'
rack (1.6.9) lib/rack/session/abstract/id.rb:225:in `context'
rack (1.6.9) lib/rack/session/abstract/id.rb:220:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/cookies.rb:560:in `call'
activerecord (4.2.8) lib/active_record/query_cache.rb:36:in `call'
activerecord (4.2.8) lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
activesupport (4.2.8) lib/active_support/callbacks.rb:88:in `__run_callbacks__'
activesupport (4.2.8) lib/active_support/callbacks.rb:778:in `_run_call_callbacks'
activesupport (4.2.8) lib/active_support/callbacks.rb:81:in `run_callbacks'
actionpack (4.2.8) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/reloader.rb:73:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/remote_ip.rb:78:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
railties (4.2.8) lib/rails/rack/logger.rb:38:in `call_app'
railties (4.2.8) lib/rails/rack/logger.rb:20:in `block in call'
activesupport (4.2.8) lib/active_support/tagged_logging.rb:68:in `block in tagged'
activesupport (4.2.8) lib/active_support/tagged_logging.rb:26:in `tagged'
activesupport (4.2.8) lib/active_support/tagged_logging.rb:68:in `tagged'
railties (4.2.8) lib/rails/rack/logger.rb:20:in `call'
request_store (1.3.2) lib/request_store/middleware.rb:9:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/request_id.rb:21:in `call'
rack (1.6.9) lib/rack/methodoverride.rb:22:in `call'
rack (1.6.9) lib/rack/runtime.rb:18:in `call'
activesupport (4.2.8) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
rack (1.6.9) lib/rack/lock.rb:17:in `call'
dragonfly (1.1.3) lib/dragonfly/cookie_monster.rb:9:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/static.rb:120:in `call'
font_assets (0.1.14) lib/font_assets/middleware.rb:17:in `block in call'
font_assets (0.1.14) lib/font_assets/middleware.rb:40:in `do_request'
font_assets (0.1.14) lib/font_assets/middleware.rb:16:in `call'
rack (1.6.9) lib/rack/sendfile.rb:113:in `call'
lib/rack/seoredirect.rb:20:in `call'
sentry-raven (2.7.1) lib/raven/integrations/rack.rb:51:in `call'
railties (4.2.8) lib/rails/engine.rb:518:in `call'
railties (4.2.8) lib/rails/application.rb:165:in `call'
railties (4.2.8) lib/rails/railtie.rb:194:in `public_send'
railties (4.2.8) lib/rails/railtie.rb:194:in `method_missing'
rack (1.6.9) lib/rack/deflater.rb:35:in `call'
rack (1.6.9) lib/rack/lock.rb:17:in `call'
rack (1.6.9) lib/rack/content_length.rb:15:in `call'
rack (1.6.9) lib/rack/handler/webrick.rb:88:in `service'
/Users/Apple/.rvm/rubies/ruby-2.2.7/lib/ruby/2.2.0/webrick/httpserver.rb:138:in `service'
/Users/Apple/.rvm/rubies/ruby-2.2.7/lib/ruby/2.2.0/webrick/httpserver.rb:94:in `run'
/Users/Apple/.rvm/rubies/ruby-2.2.7/lib/ruby/2.2.0/webrick/server.rb:294:in `block in start_thread'

• sass-rails 4.0.5 -> 5.0.4
• coffee-rails 4.0.0 -> 4.1.1
• dotenv 0.11.1 -> 2.1.0

Using custom domain with this gem

Description

I'm tring to implement custom domain, but I receive only "You should not be hitting this endpoint. Make sure to use the code snippets shown in the tutorial or contact [email protected] for help" error alert.

Thank you

Environment

Please provide the following:

• OmniAuth-Auth0 version: 2.0.0
• Ruby version: 2.4.1
• Rails version: 5.1.2
• Browser version, if applicable: Tested in Firefox 65

Reproduction

My initializers/auth0.rb:

Rails.application.config.middleware.use OmniAuth::Builder do
    provider(
      :auth0,
      ENV['AUTH0_CLIENT_ID'],
      ENV['AUTH0_CLIENT_SECRET'],
      ENV['AUTH0_DOMAIN'],
      authorize_params: {
        scope: 'openid profile offline_access enroll read:authenticators remove:authenticators',
        audience: "https://<tenant>.auth0.com/mfa/",
      },
      provider_ignores_state: true,
    )
end

I changed AUTH0_DOMAIN with custom domain.
I tried setting configuration_base_url too, but not solves.

The README.md file spells URL as "url". Since URL stands for Uniform Resource Locator, it should be always uppercase, unless its a variable name.

Looking to implement a sign out here. Deleting session info doesn't seem to work, any help?

Update it to Rails 4.2.5.1 to use the patch version that fixes the security vulnerabilities previously reviewed

Description

I'm using Auth0's dev keys in development mode while running the app locally. I have configured both of the following URLs as callback URLs in the application settings:

http://localhost:3000/auth/oauth2/callback, http://localhost:3000/auth/auth0/callback

This seems to be exactly the same issue as what was reported here: https://community.auth0.com/t/redirecturl-mismatch-using-webauth/21332

An example error tracking id: ec12ffe36ad815bec615

Prerequisites

• I have read the Auth0 contribution guidelines
• I have read the Auth0 Code of Conduct
• Did you check the documentation?
• Did you check Auth0 Community?
• Are you reporting this to the correct repository? This strategy relies on OmniAuth and the OmniAuth OAuth2 strategy.
• Are there any related or duplicate Issues or PRs for this issue?

Environment

• OmniAuth-Auth0 version: 2.2.0
• Ruby version: 2.6.3
• Rails veresion: 5.2.3

Reproduction

Error page URL: https://login.auth0.com/login/callback?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch&state=HlZVr9b_rOB5mvdsVKNjvPFuSX4b4i7t

Sample project on Windows require this gem, which is commented by default. Need to add to Readme.MD note like this If you are using Windows, uncomment tzinfo-data gem in the gemfile