Configured verbatim, devise_token_auth receives this error google only

[jancel]

I have configured everything (devise_token_auth, ng-token-auth) and when I configure google, it sends me off, I issue permissions and get this error on the return trip.

{"errors":["Use POST /sign_in to sign in. GET is not supported."]}

More information. I'm using google_oauth2.

Here are my logs (this is just after allowing google access).

Started GET "/omniauth/google_oauth2/callback?state=519d4fe3a8515cc059940ee76e673a7c797e1f3986673434&code=4/GvkUtyhoTHS-VrEueckVhYAZLbZGN8P8KtD4XOUbjRA" for ::ffff:127.0.0.1 at 2015-06-28 20:12:02 -0400
Processing by Devise::OmniauthCallbacksController#failure as HTML
  Parameters: {"state"=>"519d4fe3a8515cc059940ee76e673a7c797e1f3986673434", "code"=>"4/GvkUtyhoTHS-VrEueckVhYAZLbZGN8P8KtD4XOUbjRA"}
Redirected to http://hubster-rails.dev/auth/sign_in
Completed 302 Found in 217ms (ActiveRecord: 0.0ms)


Started GET "/auth/sign_in" for ::ffff:127.0.0.1 at 2015-06-28 20:12:07 -0400
Processing by DeviseTokenAuth::SessionsController#new as HTML
Completed 405 Method Not Allowed in 1ms (Views: 0.1ms | ActiveRecord: 0.0ms)

[ianchen06]

I'm getting the exact same error with omniauth-facebook and omniauth-twitter.

After authentication and receiving the auth_hash, the bower will continue to redirect and getting back to the providers for authentication.

Looking forward to get this resolved, thanks for such a great gem!

[AndreasHein]

I get the same error, but only after deviating from the documentation and adding the following code to my devise.rb:

config.omniauth :facebook,      ENV['FACEBOOK_KEY'], ENV['FACEBOOK_SECRET']

If I do not add the code to this file and follow the documentation only adding my keys to the omniauth.rb I get: invalid_credentials.

However if I check the login status on the frontend with:

 Facebook.getLoginStatus(function(response) {
      if (response.status == 'connected') {
        userService.setIsLogged(true);
      }
    });

I get a success message. So despite getting the invalid_credentials message the login seems to be successful. Of course no user is created at the backend.

I am using a single page Angular application (own domain) in combination with the rails API backend (Heroku).

Does anyone know what the problem might be? Many thanks in advance!

[charlesdg]

Hello, same problem as @jancel when i try to cancel manually the omniauth authentication. I do not have the problem when I accept the omniauth authentication.

here is my logs

Started GET "/api_v2/auth/linkedin?auth_origin_url=http%3A%2F%2Flocalhost%3A3000%2Ffr%2Flogin&omniauth_window_type=newWindow" for ::1 at 2015-12-22 11:39:13 +0100


Started GET "/omniauth/linkedin?auth_origin_url=http%3A%2F%2Flocalhost%3A3000%2Ffr%2Flogin&omniauth_window_type=newWindow&resource_class=Identity" for ::1 at 2015-12-22 11:39:13 +0100
I, [2015-12-22T11:39:14.110470 #2803]  INFO -- omniauth: (linkedin) Request phase initiated.


Started GET "/omniauth/linkedin/callback?auth_origin_url=http%3A%2F%2Flocalhost%3A3000%2Ffr%2Flogin&omniauth_window_type=newWindow&resource_class=Identity&oauth_problem=user_refused" for ::1 at 2015-12-22 11:39:16 +0100
I, [2015-12-22T11:39:16.881049 #2803]  INFO -- omniauth: (linkedin) Callback phase initiated.
E, [2015-12-22T11:39:17.052539 #2803] ERROR -- omniauth: (linkedin) Authentication failure! invalid_credentials: OAuth::Problem, parameter_absent
Processing by Devise::OmniauthCallbacksController#failure as HTML
  Parameters: {"auth_origin_url"=>"http://localhost:3000/fr/login", "omniauth_window_type"=>"newWindow", "resource_class"=>"Identity", "oauth_problem"=>"user_refused"}
Redirected to http://localhost:3000/api_v2/auth/sign_in
Completed 302 Found in 2ms (ActiveRecord: 0.0ms)


Started GET "/api_v2/auth/sign_in" for ::1 at 2015-12-22 11:39:17 +0100
Processing by APIV2::SessionsController#new as JSON
Completed 405 Method Not Allowed in 2ms (Views: 0.2ms | ActiveRecord: 0.0ms)

As we can see, Devise is taking the lead and redirect to Devise::OmniauthCallbacksController#failure. I try to force the on_failure action:

OmniAuth.config.on_failure = Proc.new { |env| APIV2::OmniauthCallbacksController.action(:omniauth_failure).call(env) }

but still no success.

Any ideas?

[diegoalejandrogomez]

I think that I've found a possible solution. After some research, that appears to be a facebook error. After debugging the app and devise, I figured out that I'm having this error: "error":{"message":"This IP can't make requests for that application.","type":"OAuthException"
For that reason, devise is redirecting to error handling
To solve this, I have to add my public ip on facebook (advance settings, allowed ips) in order to solve the problem.
Hope this help

[mikeborg]

Try using this gem combination:
gem 'devise_token_auth'
gem 'omniauth-oauth2', '1.3.1'
gem 'omniauth-linkedin' # or whatever oauth provider you need

[paneer-tikka]

In case it helps someone else, rails logs contained the hint:

ERROR -- omniauth: (google_oauth2) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
Processing by Devise::OmniauthCallbacksController#failure as HTML
  Parameters: {"state"=>"a529557997c737b03402398789a7a8abf02b1f199b54999a", "code"=>"4/omdJ-xTsUZk7bROLHVeR52AuPnN3N_aLUi6tfMOSXSY"}

That led me to omniauth/omniauth-oauth2#58
In my case, the issue turned out that I had my clientId and secret in both my omniauth.rb file as well as my devise.rb config file. I did this following the omniauth-google-oauth2 gem instructions. Turns out you don't need the omniauth.rb file at all if you have already configured it in devise.rb. I'm still not sure how that leads to a CSRF issue, but deleting omniauth.rb fixed the issue.

[KRaymundus]

Had the same problem. I've been searching for hours. I found the redirect_to_failure code here was never called.
I tried to put the code in the OmniAuth.config.on_failure directly, but this was never called. As devise-token-auth is a layer over devise, and devise is a layer over omniauth, somewhere the on_failure code is monkeypatched already. Therefore, to re-monkeypatch it you have to put the config code in an after_initalize block:

Rails.application.config.after_initialize do
  OmniAuth.config.on_failure = Proc.new do |env|
    message_key = env['omniauth.error.type']
    origin_query_param = env['omniauth.origin'] ? "&origin=#{CGI.escape(env['omniauth.origin'])}" : ""
    strategy_name_query_param = env['omniauth.error.strategy'] ? "&strategy=#{env['omniauth.error.strategy'].name}" : ""
    extra_params = env['omniauth.params'] ? "&#{env['omniauth.params'].to_query}" : ""
    new_path = "#{env['SCRIPT_NAME']}#{OmniAuth.config.path_prefix}/failure?message=#{message_key}#{origin_query_param}#{strategy_name_query_param}#{extra_params}"
    Rack::Response.new(["302 Moved"], 302, 'Location' => new_path).finish
  end
end

[zachfeldman]

Seems like @KRaymundus has a possible answer here with little activity since then, so I'll be closing this for now.