"Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError" Error due to missing session["omniauth.state"]

Greetings,
We are trying to deploy discourse forums in production mode. We are using our own oauth provider and hence using discourse-oauth2-basic plugin to enable the same.

We are seeing the following error when login in with our custom oauth provider:

“Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected”

After some debugging, it is seen that the “omniauth.state” is missing in the session after the redirect happens and hence unable to validate the state field in the /auth/oauth2_callback. Any help would be appreciated.

Note: The entire setup is working fine in the development mode

Thank you.

Is authentication starting and ending in the same browser? Have you changed the default same site cookies setting value?

2 Likes

Yes @david authentication is starting and ending in the same browser. Have not changed the value of same_site_cookies. It is default set to “Lax”.

Are you following our standard install guide?

Unfortunately it is very tricky for us to help here without visibility of the site. Are you able to share a link?

2 Likes

Hello @david we are hoisting discourse using docker containers. The docker file which we are using is discourse_docker/image/base at master · discourse/discourse_docker · GitHub. Since there is no script to start discourse inside docker container we have added a small start script which pre compiles and starts discourse.
RAILS_ENV=production bundle exec rake db:migrate
RAILS_ENV=production bundle exec rake assets:precompile
RAILS_ENV=production bundle exec rails server --binding=0.0.0.0

Unfortunately it is very difficult for us to offer community support here for custom installations. Please try setting up Discourse using the official guide. If you’re not able to do that, maybe someone in the #marketplace could help out for a fee

2 Likes