Devise, OmniAuth & Facebook: "Not found. Authentication passthru."

Question

Trying to follow along with https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview and I'm stumped.

I've got config.omniauth :facebook, ENV['FB_APP_ID'], ENV['FB_APP_SECRET'] in my config/initializers/devise.rb, devise_for :users, :controllers => { :omniauth_callbacks => "users/omniauth_callbacks" } in my routes.rb, and an OmniAuthCallbacks controller defined.

When I visit user_omniauth_authorize_path(:facebook), I get: Not found. Authentication passthru. I'm not sure what to do next. I am not using route globing, so I don't believe I need to define a passthru method, but doing so just gives me a 404.

Answer 1

Also make sure you have added a route to the OmniauthCallbacksController:

devise_for :users, :controllers => { :omniauth_callbacks => "users/omniauth_callbacks" }

and that you have added the update to the devise declaration in your User model:

devise :omniauthable, :omniauth_providers => [:facebook]

Answer 2

So I've stumbeled upon this after opening a old project and and after seeing that my authorize url looke something like "user/auth/facebook.facebook" i ran a rake routes and solved it by changing

<%= link_to "Sign in with Facebook", user_omniauth_authorize_path(:facebook) %>

to

<%= link_to "Sign in with Facebook", user_facebook_omniauth_authorize_path %>

Apparently the helpers for the omniauth routes have changed since the rake routes command returned:

user_facebook_omniauth_authorize   GET|POST   /users/auth/facebook(.:format)          omniauth_callbacks#passthru

and not as it was some months ago when I started the project.

user_omniauth_authorize            GET|POST   /users/auth/facebook(:provider)          omniauth_callbacks#passthru

Hope this post helps someone.

Answer 3

I had the same error.
What worked for me was restarting the rails server, to reflect the changes (config.omniauth :facebook, ENV['FB_APP_ID'], ENV['FB_APP_SECRET']) I had made to config/initializers/devise.rb.

Answer 4

It can happen when you're trying to use link_to where the request will be a GET.

1. You need to change it to a button_to where a form will be created.
2. Alternatively, you can use link_to with method: :post if you have the rails-ujs, but I recommend you use the form since it'll have the CSRF on it;
3. You need to add the gem omniauth-rails_csrf_protection to avoid Authenticity Error.

Answer 5

I should have listed this sooner, but I ended up doing a "back out and retry" approach; I deleted everything I had related to OmniAuth and started over following the instructions. I wish I knew what, specifically, I had wrong but unfortunately it "just worked" once I retried.

tl;dr Follow the steps in https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview verbatim and it should work

Answer 6

For anyone who wants to know how to fix this, simply declare a passthru method, or do what I did, which is use action_missing (not method_missing, it is deprecated in Rails 4!) to catch all users/auth/:provider urls that omniauth uses in one method.

For instance,

class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController

  def action_missing(provider)
    # Set up authentication/authorizations here, and distribute tasks
    # that are provider specific to other methods, leaving only tasks
    # that work across all providers in this method. 
  end

I hope that helps anyone else who gets stuck here, I sure did.

Answer 7

I spent the entire day today trying to track down the issue and I finally found it while going back in git history since it used to work earlier.

It turned out that the routing-filter to switch locales somehow was the root of the evil. I just disabled the filter :locale method in my routes and the authorization request went through to facebook. Bloody hell, I'm so glad I finally found out about that :)

Answer 8

Seeing Not found. Authentication passthru. means the Omniauth controller is not catching the route. Most likely this is because the route is being reached via GET, but as of recently only POST is supported by default.

The naive answer, and what is suggested for the Google Oauth2 integeration, is to simply re-enable GET requests:

OmniAuth.config.allowed_request_methods = [:get]

Answer 9

It could be happening because the configuration with Devise and Omniauth should be made ONLY in config/initializers/devise.rb. Do not create the onfig/initializers/omniauth.rb file.

Remember that config.omniauth adds omniauth provider middleware to your application. This means you should not add this provider middleware again in config/initializers/omniauth.rb as they'll clash with each other and result in always-failing authentication.

https://github.com/heartcombo/devise/wiki/OmniAuth%3A-Overview#before-you-start

Answer 10

Try setting omniauth_path_prefix in devise initializer (config/initializers/devise.rb) file.

For User class:

config.omniauth_path_prefix = "/users/auth"

For other class (e.g. when you use Account not User):

config.omniauth_path_prefix = "/accounts/auth"

Same thing with translated routes (my case). I've tranlated 'users' into 'blabla'. To have it working I had to set prefix to "/blabla/auth". (Works for only one locale!)

Answer 11

One thing I didn't see mentioned in the answers is making sure that your button_to helper is not nested within your sign in (or any other) form!

E.g. I had:

app/views/devise/sessions/new.html.erb

<%= form_for(resource, as: resource_name, url: session_path(resource_name)) do |f| %>

  <%# this is the wrong place to place it! %>
  <%= button_to "Sign in with Github", user_github_omniauth_authorize_path, data: { turbo: false } %>

  <div class="actions">
    <%= f.submit "Log in" %>
  </div>

<% end %>

You can't have nested forms (the button_to helper creates its own form, see the docs: https://api.rubyonrails.org/classes/ActionView/Helpers/UrlHelper.html#method-i-button_to). So I simply moved button_to out of the form_for block. Really simple mistake on my end!

Answer 12

Make sure to write the same spelling of providers on both user.rb and devise.rb like -

user.rb

devise :database_authenticatable, :registerable,
     :recoverable, :rememberable, :trackable, :validatable, :confirmable, :omniauthable, omniauth_providers: [:google_oauth2, :facebook], authentication_keys: [:login], reset_password_keys: [:login], confirmation_keys: [:login]

devise.rb

config.omniauth :google_oauth2, ENV["GOOGLE_OAUTH_CLIENT_ID"], ENV["GOOGLE_CLIENT_SECRET"],   
{
    scope: 'userinfo.email, userinfo.profile',
    prompt: 'select_account',
    image_aspect_ratio: 'square',
    image_size: 50
  }

config.omniauth :facebook, ENV['FACEBOOK_APP_ID'], ENV['FACEBOOK_APP_SECRET'], scope: 'email', info_fields: 'email, first_name, last_name', callback_url: "#{ENV["HOST_URL"]}/users/auth/facebook/callback"