Facebook Login Error: CSRF detected


My users cannot log in with Facebook anymore. This is the error log:

(facebook) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

I’m using Cloudflare in front of nginx. I’m using Cloudflare automatic SSL (flexible). I didn’t install any certificate on my server (i.e. I’m not using Letsencrypt).

Is this related to Cloudflare? Can this be solved without installing Letsencrypt?


This error is similar both for Google and Facebook. In my configuration there was a line in nginx:

# proxy_set_header X-Forwarded-Proto $https;

After I changed it to

proxy_set_header X-Forwarded-Proto $scheme;

the error has gone.

Solution was found after reading this topic: Redirect URI mismatch in Google Auth


I have to improve my answer.

After playing with FB and Google auth, I stay on Office365 login because of company policy.

When I moved my discourse server behind a proxy (see the picture below), O365 auth became unavailable. It needs force https enabled and this option is broken behind the proxy. Solved thankfully by Daniel: Moved site behind proxy, favicon and header not using https anymore - #11 by rossierd.

The line in Internal Nginx config

proxy_set_header X-Forwarded-Proto $scheme;

should be replaced with

proxy_set_header X-Forwarded-Proto "https";

External Nginx does not need such modification. It has:

proxy_set_header X-Forwarded-Proto $scheme;

Probably the same is right for FB, Google and other types of auth.


Obviously that string contained a typo $ and was useless.

1 Like