This site uses cookies. By continuing to browse the site, you agree to our use of cookies. Find out more about cookies.
Skip to main content
Metadecidim's official logo
  • English Triar la llengua Elegir el idioma Choose language
    • Català
    • Castellano
Sign Up Sign In
  • Home
  • Processes
  • Assemblies
  • Initiatives
  • Consultations
  • Conferences
  • Help

Support Forum

#supportforum Any doubts or questions on how to use Decidim? Check them with the Community!

  • The process
  • I have a question
  • Community Tutorials
chevron-left Back to list

Omniauth throws InvalidAuthenticityToken in combination with omniauth-ldap

Avatar: Eduard Eduard
08/10/2019 08:43  

Dear community,

I successfully integrated LDAP authorization with omniauth-ldap (see: https://github.com/buehl/decidim-buehl-intra/commit/c8d57a1759ce5bfbfffa0a1a779df4038cdb2353#diff-2245023265ae4cf87d02c8b6ba991139).

While this works perfectly, I'm still struggling since a couple of days with the integrated forgery protection. After typing my LDAP credentials on the corresponding form, the callback leads to a 422 error with the following log:

I, [2019-10-08T08:05:56.223573 #24115] INFO -- : [183af26c-1187-4cbd-ba59-f98adb9e56c5] Started POST "/users/auth/ldap" for 127.0.0.1 at 2019-10-08 08:05:56 +0200
D, [2019-10-08T08:05:56.225107 #24115] DEBUG -- : [183af26c-1187-4cbd-ba59-f98adb9e56c5] [1m[36mDecidim::Organization Load (0.5ms)[0m [1m[34mSELECT "decidim_organizations".* FROM "decidim_organizations" WHERE "decidim_organizations"."host" = $1 LIMIT $2[0m [["host", "mein.buehl.intra"], ["LIMIT", 1]]
I, [2019-10-08T08:06:00.425339 #24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2019-10-08 08:06:00 +0200
D, [2019-10-08T08:06:00.426894 #24115] DEBUG -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] [1m[36mDecidim::Organization Load (0.6ms)[0m [1m[34mSELECT "decidim_organizations".* FROM "decidim_organizations" WHERE "decidim_organizations"."host" = $1 LIMIT $2[0m [["host", "mein.buehl.intra"], ["LIMIT", 1]]
I, [2019-10-08T08:06:00.441086 #24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Processing by Decidim::Devise::OmniauthRegistrationsController#ldap as HTML
I, [2019-10-08T08:06:00.441166 #24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Parameters: {"username"=>"[FILTERED]", "password"=>"[FILTERED]"}
W, [2019-10-08T08:06:00.441595 #24115] WARN -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Can't verify CSRF token authenticity.
I, [2019-10-08T08:06:00.442112 #24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)
I, [2019-10-08T08:06:00.442600 #24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Processing by Decidim::Devise::OmniauthRegistrationsController#failure as HTML
I, [2019-10-08T08:06:00.442693 #24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Parameters: {"username"=>"itricedu", "password"=>"[FILTERED]"}
W, [2019-10-08T08:06:00.442881 #24115] WARN -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Can't verify CSRF token authenticity.
I, [2019-10-08T08:06:00.443210 #24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Completed 422 Unprocessable Entity in 0ms (ActiveRecord: 0.0ms)
F, [2019-10-08T08:06:00.444798 #24115] FATAL -- : [dafc10d9-5520-4be4-a096-a62fe88e7051]
F, [2019-10-08T08:06:00.444860 #24115] FATAL -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
F, [2019-10-08T08:06:00.444910 #24115] FATAL -- : [dafc10d9-5520-4be4-a096-a62fe88e7051]
F, [2019-10-08T08:06:00.445003 #24115] FATAL -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] actionpack (5.2.3) lib/action_controller/metal/request_forgery_protection.rb:211:in `handle_unverified_request'

I already played around with all possible nginx settings, turned off the re-direct to https and used puma directly without nginx inbetween.

The only adaption that helped was to turn off forgery protection in app/controllers/decidim/devise/omniauth_registrations_controller.rb, but this shouldn't be a final solution to this problem.

Has anyone of you already encountered this problem and maybe knows a trick to enable csrf authenticity verification for omniauth-ldap?

I'm not sure whether this is a problem of my configuration, omniauth, omniauth-ldap or how decidim integrated omniauth registrationm, but after I struggled with this problem for multiple days, I'm coming to the end of my modest ruby knowledge.

  • Filter results for category: User registration User registration
Endorsements count0
Omniauth throws InvalidAuthenticityToken in combination with omniauth-ldap Comments 0

Reference: MDC-PROP-2019-10-14847
Version number 1 (of 1) see other versions
Check fingerprint

Fingerprint

The piece of text below is a shortened, hashed representation of this content. It's useful to ensure the content hasn't been tampered with, as a single modification would result in a totally different value.

Value: 064acfb298b9384ff26eb706ca07dd622b95c0d866de745c328ff420e2e8b76c

Source: {"body":{"en":"Dear community,\r\n\r\nI successfully integrated LDAP authorization with omniauth-ldap (see: https://github.com/buehl/decidim-buehl-intra/commit/c8d57a1759ce5bfbfffa0a1a779df4038cdb2353#diff-2245023265ae4cf87d02c8b6ba991139).\r\n\r\nWhile this works perfectly, I'm still struggling since a couple of days with the integrated forgery protection. After typing my LDAP credentials on the corresponding form, the callback leads to a 422 error with the following log:\r\n\r\nI, [2019-10-08T08:05:56.223573 gid://metadecidim/Decidim::Hashtag/148/24115] INFO -- : [183af26c-1187-4cbd-ba59-f98adb9e56c5] Started POST \"/users/auth/ldap\" for 127.0.0.1 at 2019-10-08 08:05:56 +0200\r\nD, [2019-10-08T08:05:56.225107 gid://metadecidim/Decidim::Hashtag/148/24115] DEBUG -- : [183af26c-1187-4cbd-ba59-f98adb9e56c5] \u001b[1m\u001b[36mDecidim::Organization Load (0.5ms)\u001b[0m \u001b[1m\u001b[34mSELECT \"decidim_organizations\".* FROM \"decidim_organizations\" WHERE \"decidim_organizations\".\"host\" = $1 LIMIT $2\u001b[0m [[\"host\", \"mein.buehl.intra\"], [\"LIMIT\", 1]]\r\nI, [2019-10-08T08:06:00.425339 gid://metadecidim/Decidim::Hashtag/148/24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Started POST \"/users/auth/ldap/callback\" for 127.0.0.1 at 2019-10-08 08:06:00 +0200\r\nD, [2019-10-08T08:06:00.426894 gid://metadecidim/Decidim::Hashtag/148/24115] DEBUG -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] \u001b[1m\u001b[36mDecidim::Organization Load (0.6ms)\u001b[0m \u001b[1m\u001b[34mSELECT \"decidim_organizations\".* FROM \"decidim_organizations\" WHERE \"decidim_organizations\".\"host\" = $1 LIMIT $2\u001b[0m [[\"host\", \"mein.buehl.intra\"], [\"LIMIT\", 1]]\r\nI, [2019-10-08T08:06:00.441086 gid://metadecidim/Decidim::Hashtag/148/24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Processing by Decidim::Devise::OmniauthRegistrationsController#ldap as HTML\r\nI, [2019-10-08T08:06:00.441166 gid://metadecidim/Decidim::Hashtag/148/24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Parameters: {\"username\"=>\"[FILTERED]\", \"password\"=>\"[FILTERED]\"}\r\nW, [2019-10-08T08:06:00.441595 gid://metadecidim/Decidim::Hashtag/148/24115] WARN -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Can't verify CSRF token authenticity.\r\nI, [2019-10-08T08:06:00.442112 gid://metadecidim/Decidim::Hashtag/148/24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)\r\nI, [2019-10-08T08:06:00.442600 gid://metadecidim/Decidim::Hashtag/148/24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Processing by Decidim::Devise::OmniauthRegistrationsController#failure as HTML\r\nI, [2019-10-08T08:06:00.442693 gid://metadecidim/Decidim::Hashtag/148/24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Parameters: {\"username\"=>\"itricedu\", \"password\"=>\"[FILTERED]\"}\r\nW, [2019-10-08T08:06:00.442881 gid://metadecidim/Decidim::Hashtag/148/24115] WARN -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Can't verify CSRF token authenticity.\r\nI, [2019-10-08T08:06:00.443210 gid://metadecidim/Decidim::Hashtag/148/24115] INFO -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] Completed 422 Unprocessable Entity in 0ms (ActiveRecord: 0.0ms)\r\nF, [2019-10-08T08:06:00.444798 gid://metadecidim/Decidim::Hashtag/148/24115] FATAL -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] \r\nF, [2019-10-08T08:06:00.444860 gid://metadecidim/Decidim::Hashtag/148/24115] FATAL -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):\r\nF, [2019-10-08T08:06:00.444910 gid://metadecidim/Decidim::Hashtag/148/24115] FATAL -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] \r\nF, [2019-10-08T08:06:00.445003 gid://metadecidim/Decidim::Hashtag/148/24115] FATAL -- : [dafc10d9-5520-4be4-a096-a62fe88e7051] actionpack (5.2.3) lib/action_controller/metal/request_forgery_protection.rb:211:in `handle_unverified_request'\r\n\r\nI already played around with all possible nginx settings, turned off the re-direct to https and used puma directly without nginx inbetween.\r\n\r\nThe only adaption that helped was to turn off forgery protection in app/controllers/decidim/devise/omniauth_registrations_controller.rb, but this shouldn't be a final solution to this problem.\r\n\r\nHas anyone of you already encountered this problem and maybe knows a trick to enable csrf authenticity verification for omniauth-ldap?\r\n\r\nI'm not sure whether this is a problem of my configuration, omniauth, omniauth-ldap or how decidim integrated omniauth registrationm, but after I struggled with this problem for multiple days, I'm coming to the end of my modest ruby knowledge."},"title":{"en":"Omniauth throws InvalidAuthenticityToken in combination with omniauth-ldap"}}

This fingerprint is calculated using a SHA256 hashing algorithm. In order to replicate it yourself, you can use an MD5 calculator online and copy-paste the source data.

Share:

link-intact Share link

Share link:

Please paste this code in your page:

<script src="https://meta.decidim.org/processes/supportforum/f/705/proposals/14847/embed.js"></script>
<noscript><iframe src="https://meta.decidim.org/processes/supportforum/f/705/proposals/14847/embed.html" frameborder="0" scrolling="vertical"></iframe></noscript>

Report inappropriate content

Is this content inappropriate?

Reason

0 comments

Order by:
  • Older
    • Best rated
    • Recent
    • Older
    • Most discussed

Add your comment

Sign in with your account or sign up to add your comment.

Loading comments ...

  • Terms and conditions of use
  • About the community
  • Download Open Data files
  • Metadecidim at Twitter Twitter
  • Metadecidim at Instagram Instagram
  • Metadecidim at YouTube YouTube
  • Metadecidim at GitHub GitHub
Creative Commons License Website made with free software.
Decidim Logo

Confirm

OK Cancel

Please sign in

decidim Sign in with Decidim Barcelona
Or

Sign up

Forgot your password?