[Security] Support for the :state parameter required with omniauth-oauth2 v1.1 #43

ZenCocoon · 2012-07-10T07:27:00Z

Hi,

A few days ago, a security update has been made to omniauth-oauth2, this one uses the :state parameter to mitigate CSRF. omniauth/omniauth-oauth2#18

However, it seem that devise_oauth2_providable doesn't handle this parameter as expected as it doesn't send it back in the callback.

A similar issue seems to be faced at omniauth/omniauth-oauth2#20

The text was updated successfully, but these errors were encountered:

adampope · 2012-07-13T12:47:57Z

+1 to this. Would love to see a fix.

karlfreeman · 2012-07-17T00:29:14Z

👍

ZenCocoon · 2012-07-17T08:07:32Z

Anyone having time to make a pull request?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Support for the :state parameter required with omniauth-oauth2 v1.1 #43

[Security] Support for the :state parameter required with omniauth-oauth2 v1.1 #43

ZenCocoon commented Jul 10, 2012

adampope commented Jul 13, 2012

karlfreeman commented Jul 17, 2012

ZenCocoon commented Jul 17, 2012

[Security] Support for the :state parameter required with omniauth-oauth2 v1.1 #43

[Security] Support for the :state parameter required with omniauth-oauth2 v1.1 #43

Comments

ZenCocoon commented Jul 10, 2012

adampope commented Jul 13, 2012

karlfreeman commented Jul 17, 2012

ZenCocoon commented Jul 17, 2012