Issue: CSRF Detected Error with OAuth2 Login using oauth2-basic Plugin

Hi,

I encountered a “csrf_detected” error while using the oauth2-basic plugin to log in via OAuth2. Below is the detailed flow of the issue:

  1. I click “Login,” which redirects me to:
    https://myforum/auth/basic_oauth2
  2. It then performs a 302 redirect to:
    https://myforum/auth/failure?message=csrf_detected

Reproduction Steps:

When I attempt to log in, the following curl command simulates the request:

curl -vvvv 'https://myforum/auth/oauth2_basic' \
  -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
  -H 'accept-language: zh-CN,zh;q=0.9' \
  -H 'cache-control: max-age=0' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -H 'cookie: _forum_session=k9aHXc2cWsx%2FMBL26KTV33PSo8jC9Am47UBoT5Zq9qYAm2nKoU2BJkAR1bgc6U%2BYqsL3%2F3sjiYRmJoNr3JuvzkjdYl%2FjzT9djkq%2BYjSmN16EUEdZIdOl%2Fiv1MohQkthKSnOpUdXLTxHZBezxTg4O%2Bs6LUZ7HzCjpT3lxm24FS4xOPkU5QnSHBM%2F7GazZRhGywXsHKGdJ6fY0kVo%2BJHNNHBZu--qQKGn36Xh7jvKPEs--I1b3oz4nv2xe%2Fmi0bKPLog%3D%3D' \
  -H 'origin: https://myforum' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36' \
  --data-raw 'authenticity_token=doSNHEhj23HibAEZf0znqzevPNPq9Bub69Xnq18mKARw8GiGP-cokbg7k0qUvRgH3kayeJK7_-boeoOvX6GKqQ'

The result is a 302 redirect to the failure page with the message “csrf_detected”:

< HTTP/2 302 
< location: /auth/failure?message=csrf_detected

Findings:

  • If I omit the authenticity_token parameter, the login flow works correctly, and it redirects me to the OAuth2 login page as expected:

Question:

It seems that when the GET request to /auth/oauth2_basic includes an authenticity_token, the system checks it and throws the CSRF error if the token is invalid. But I’m confused—since I’m not logged in yet, how would I even have an authenticity_token at this stage?

Is this expected behavior, or is there an issue with how the CSRF token is being handled in the initial login process?

Any help or guidance would be appreciated!

Thank you!

We frequently see this error when there’s a mismatch between what the browser is using and what the backend is expecting.

Can you try turning on force_https and see if that fixes the problem?

If not, what’s your request path?