So firstly we were getting a CSRF error that didn't make much sense. It was failing in the callback phase of omniauth.
Started GET "/auth/lightspeed" for 127.0.0.1 at 2015-12-02 14:48:32 +1100
I, [2015-12-02T14:48:32.949808 #32768] INFO -- omniauth: (lightspeed) Request phase initiated.
Started GET "/auth/lightspeed/callback?code=b8cb8bcc6f741f2f919e3924e0dc3c648f67d129&state=457c2b3ab0917bdc88180edf1fdc8be63c1011b0a9939a7e" for 127.0.0.1 at 2015-12-02 14:48:44 +1100
I, [2015-12-02T14:48:44.254381 #32768] INFO -- omniauth: (lightspeed) Callback phase initiated.
E, [2015-12-02T14:48:44.254727 #32768] ERROR -- omniauth: (lightspeed) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
E, [2015-12-02T14:48:44.255305 #32768] ERROR -- omniauth: (lightspeed) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
[Rollbar] Reporting exception: csrf_detected | CSRF detected
[Rollbar] Exception not reported because Rollbar is disabled
OmniAuth::Strategies::OAuth2::CallbackError - csrf_detected | CSRF detected:
omniauth (1.2.2) lib/omniauth/failure_endpoint.rb:25:in `raise_out!'
omniauth (1.2.2) lib/omniauth/failure_endpoint.rb:20:in `call'
omniauth (1.2.2) lib/omniauth/failure_endpoint.rb:12:in `call'
omniauth (1.2.2) lib/omniauth/strategy.rb:475:in `fail!'
omniauth-oauth2 (1.3.1) lib/omniauth/strategies/oauth2.rb:75:in `callback_phase'
omniauth (1.2.2) lib/omniauth/strategy.rb:227:in `callback_call'
omniauth (1.2.2) lib/omniauth/strategy.rb:184:in `call!'
omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
omniauth (1.2.2) lib/omniauth/builder.rb:59:in `call'
rack (1.6.4) lib/rack/etag.rb:24:in `call'
rack (1.6.4) lib/rack/conditionalget.rb:25:in `call'
rack (1.6.4) lib/rack/head.rb:13:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/flash.rb:260:in `call'
rack (1.6.4) lib/rack/session/abstract/id.rb:225:in `context'
rack (1.6.4) lib/rack/session/abstract/id.rb:220:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/cookies.rb:560:in `call'
activerecord (4.2.3) lib/active_record/query_cache.rb:36:in `call'
activerecord (4.2.3) lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in `call'
activerecord (4.2.3) lib/active_record/migration.rb:377:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
activesupport (4.2.3) lib/active_support/callbacks.rb:84:in `run_callbacks'
actionpack (4.2.3) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/reloader.rb:73:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/remote_ip.rb:78:in `call'
rollbar (1.5.3) lib/rollbar/middleware/rails/rollbar.rb:24:in `block in call'
rollbar (1.5.3) lib/rollbar.rb:799:in `scoped'
rollbar (1.5.3) lib/rollbar/middleware/rails/rollbar.rb:22:in `call'
better_errors (2.1.1) lib/better_errors/middleware.rb:84:in `protected_app_call'
better_errors (2.1.1) lib/better_errors/middleware.rb:79:in `better_errors_call'
better_errors (2.1.1) lib/better_errors/middleware.rb:57:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
rollbar (1.5.3) lib/rollbar/middleware/rails/show_exceptions.rb:22:in `call_with_rollbar'
actionpack (4.2.3) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
railties (4.2.3) lib/rails/rack/logger.rb:38:in `call_app'
railties (4.2.3) lib/rails/rack/logger.rb:20:in `block in call'
activesupport (4.2.3) lib/active_support/tagged_logging.rb:68:in `block in tagged'
activesupport (4.2.3) lib/active_support/tagged_logging.rb:26:in `tagged'
activesupport (4.2.3) lib/active_support/tagged_logging.rb:68:in `tagged'
railties (4.2.3) lib/rails/rack/logger.rb:20:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/request_id.rb:21:in `call'
rack (1.6.4) lib/rack/methodoverride.rb:22:in `call'
rack (1.6.4) lib/rack/runtime.rb:18:in `call'
activesupport (4.2.3) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
rack (1.6.4) lib/rack/lock.rb:17:in `call'
actionpack (4.2.3) lib/action_dispatch/middleware/static.rb:116:in `call'
rack (1.6.4) lib/rack/sendfile.rb:113:in `call'
railties (4.2.3) lib/rails/engine.rb:518:in `call'
railties (4.2.3) lib/rails/application.rb:165:in `call'
rack (1.6.4) lib/rack/content_length.rb:15:in `call'
thin (1.6.4) lib/thin/connection.rb:86:in `block in pre_process'
thin (1.6.4) lib/thin/connection.rb:84:in `pre_process'
thin (1.6.4) lib/thin/connection.rb:53:in `process'
thin (1.6.4) lib/thin/connection.rb:39:in `receive_data'
eventmachine (1.0.8) lib/eventmachine.rb:193:in `run'
thin (1.6.4) lib/thin/backends/base.rb:73:in `start'
thin (1.6.4) lib/thin/server.rb:162:in `start'
rack (1.6.4) lib/rack/handler/thin.rb:19:in `run'
rack (1.6.4) lib/rack/server.rb:286:in `start'
railties (4.2.3) lib/rails/commands/server.rb:80:in `start'
railties (4.2.3) lib/rails/commands/commands_tasks.rb:80:in `block in server'
railties (4.2.3) lib/rails/commands/commands_tasks.rb:75:in `server'
railties (4.2.3) lib/rails/commands/commands_tasks.rb:39:in `run_command!'
railties (4.2.3) lib/rails/commands.rb:17:in `<top (required)>'
bin/rails:4:in `<main>'
The 'omniauth.state' that was being set in the session during the request phase was nil.
In oauth2.rb:
elsif !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
I tried setting the option provider_ignores_state: true, but was still having a world of problems because of the session.
I saw other people mention domains. We weren't even setting a domain and I was adamant that our domains matched. The problem was, we had an app redirecting to another app which was then redirecting to Lightspeed auth.
I'm writing this to help others that may find themselves in a similar situation, as I spent a whole lot of time on this yesterday.
Our domains didn't exactly match and after fixing up our nginx config the CSRF error was no more!
Then I kept getting a redirect_uri error.
In the meantime I had updated our gems (stupid, I know). There is a breaking change in omniauth-oauth2 1.4.0.
Locked the gem to 1.3.1.
