devise icon indicating copy to clipboard operation
devise copied to clipboard

Published 20 hours ago verified publisher icon heartcombo

Omniauth SAML callback triggers ActionController::InvalidAuthenticityToken

Open spemmons opened this issue 4 years ago • 1 comments

Environment

  • Ruby [2.6.5]
  • Rails [6.0.2.1]
  • Devise [4.7.1]

Current behavior

When 'protect_from_forgery' is in use, ActionController::InvalidAuthenticityToken is triggered when receiving a callback request from the SAML IdP.

The fix was to add the following to ApplicationController:

skip_forgery_protection if: :saml_callback_path?

  def saml_callback_path?
    request.fullpath == '/.../auth/saml/callback'
  end

Expected behavior

This is fine, but what I would really like is an elegant way to add this to the appropriate Devise controller so with something like:

skip_forgery_protection only: '???' <-- where ??? is whatever the action method name is for the callback

spemmons avatar Mar 18 '20 14:03 spemmons

Hey @spemmons, any luck resolving this issue?

rajdeepbhatia avatar Dec 22 '22 19:12 rajdeepbhatia