Hi Team,
I’m trying to integrate discourse-zoom into a community app for my team. After creating and validating server-2-server Oauth app everything seemed fine, I’ve installed ‘discourse-oauth2-basic’ plugin in order to get the ‘/auth/oauth2_basic/callback’ URL needed to Authorize the Meetings SDK. After configuring the SDK and trying to start the authorization flow by pasting the generated url into my browser I keep getting the following error .
I did some research and found that a CSRF exception is raised by the underlying OmniAuth strategy code.
(oauth2_basic) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
Backtrace
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-1.9.2/lib/omniauth/strategy.rb:163:in `log'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-1.9.2/lib/omniauth/strategy.rb:486:in `fail!'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-oauth2-1.7.3/lib/omniauth/strategies/oauth2.rb:87:in `callback_phase'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-1.9.2/lib/omniauth/strategy.rb:238:in `callback_call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-1.9.2/lib/omniauth/strategy.rb:189:in `call!'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-1.9.2/lib/omniauth/strategy.rb:169:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-1.9.2/lib/omniauth/builder.rb:45:in `call'
/var/www/discourse/lib/middleware/omniauth_bypass_middleware.rb:43:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.9/lib/rack/tempfile_reaper.rb:15:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.9/lib/rack/conditional_get.rb:27:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.9/lib/rack/head.rb:12:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.0.8.1/lib/action_dispatch/http/permissions_policy.rb:38:in `call'
/var/www/discourse/lib/content_security_policy/middleware.rb:12:in `call'
/var/www/discourse/lib/middleware/anonymous_cache.rb:393:in `call'
/var/www/discourse/lib/middleware/csp_script_nonce_injector.rb:12:in `call'
/var/www/discourse/config/initializers/008-rack-cors.rb:14:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.9/lib/rack/session/abstract/id.rb:266:in `context'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.9/lib/rack/session/abstract/id.rb:260:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.0.8.1/lib/action_dispatch/middleware/cookies.rb:704:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.0.8.1/lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/activesupport-7.0.8.1/lib/active_support/callbacks.rb:99:in `run_callbacks'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.0.8.1/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.0.8.1/lib/action_dispatch/middleware/debug_exceptions.rb:28:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.0.8.1/lib/action_dispatch/middleware/show_exceptions.rb:29:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/logster-2.19.1/lib/logster/middleware/reporter.rb:40:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.0.8.1/lib/rails/rack/logger.rb:40:in `call_app'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.0.8.1/lib/rails/rack/logger.rb:27:in `call'
/var/www/discourse/config/initializers/100-quiet_logger.rb:20:in `call'
/var/www/discourse/config/initializers/100-silence_logger.rb:29:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.0.8.1/lib/action_dispatch/middleware/remote_ip.rb:93:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.0.8.1/lib/action_dispatch/middleware/request_id.rb:26:in `call'
/var/www/discourse/lib/middleware/enforce_hostname.rb:24:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.9/lib/rack/method_override.rb:24:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.0.8.1/lib/action_dispatch/middleware/executor.rb:14:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.9/lib/rack/sendfile.rb:110:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.0.8.1/lib/action_dispatch/middleware/host_authorization.rb:131:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-mini-profiler-3.3.1/lib/mini_profiler.rb:334:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/message_bus-4.3.8/lib/message_bus/rack/middleware.rb:60:in `call'
/var/www/discourse/lib/middleware/request_tracker.rb:291:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.0.8.1/lib/rails/engine.rb:530:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.0.8.1/lib/rails/railtie.rb:226:in `public_send'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.0.8.1/lib/rails/railtie.rb:226:in `method_missing'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.9/lib/rack/urlmap.rb:74:in `block in call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.9/lib/rack/urlmap.rb:58:in `each'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.9/lib/rack/urlmap.rb:58:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/lib/unicorn/http_server.rb:634:in `process_client'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/lib/unicorn/http_server.rb:739:in `worker_loop'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/lib/unicorn/http_server.rb:547:in `spawn_missing_workers'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/lib/unicorn/http_server.rb:143:in `start'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/bin/unicorn:128:in `<top (required)>'
/var/www/discourse/vendor/bundle/ruby/3.3.0/bin/unicorn:25:in `load'
/var/www/discourse/vendor/bundle/ruby/3.3.0/bin/unicorn:25:in `<main>'
Env
callback_phase method is the one raising this error
def callback_phase # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
error = request.params["error_reason"] || request.params["error"]
if !options.provider_ignores_state && (request.params["state"].to_s.empty? || !secure_compare(request.params["state"], session.delete("omniauth.state")))
fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
elsif error
fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
else
self.access_token = build_access_token
self.access_token = access_token.refresh! if access_token.expired?
super
end
rescue ::OAuth2::Error, CallbackError => e
fail!(:invalid_credentials, e)
rescue ::Timeout::Error, ::Errno::ETIMEDOUT, ::OAuth2::TimeoutError, ::OAuth2::ConnectionError => e
fail!(:timeout, e)
rescue ::SocketError => e
fail!(:failed_to_connect, e)
end
Can someone please point me in the right direction on how to proceed with the authorization part, playing around with ‘options.provider_ignores_state’ doesn’t seem like a great idea due to security concerns and I’m also not sure that ‘omniauth.state’ is initialized if I’m only hitting the ‘callback’ URL but I’m not familiar enough with OmniAuth to effectively troubleshoot this.
discourse-zoom install/config guide doesn’t explicitly mention the use of ‘discourse-oauth2-basic’ , is there a better way or a more compatible plugin to help me authorize the Meetings SDK
Thanks