omniauth-microsoft-identity2 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +6 -0
- data/lib/omniauth/microsoft_identity2/version.rb +1 -1
- data/lib/omniauth/strategies/microsoft_identity2.rb +25 -0
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4569a0404462574684b79709fdbccccee5e8622f98ce34fb7d50eaf883447e91
|
|
4
|
+
data.tar.gz: 0cdaff3fc5ff3cfb7e43dd21b91fa2add62ed65cd59955b2c69fad9e9bafd650
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b999e7fec5937388059cab737e3222ba63f2637a69e61be24f7013ec5dca19094c0928c0bad474568e1cf1bce8117e6379f9a32d804d7111c90b0c8fd4e7904e
|
|
7
|
+
data.tar.gz: 42c571fca827b0c345a4969b6058ebb92ecb4364a99ca74791b3573b196806856644e9c666bcc7fbbfbf620b1d1d2a30002b17fd813c59b9527cd502db47e15a
|
data/README.md
CHANGED
|
@@ -58,6 +58,12 @@ Supported options include:
|
|
|
58
58
|
|
|
59
59
|
Request query parameters for supported authorize options are passed through in request phase.
|
|
60
60
|
|
|
61
|
+
## Troubleshooting
|
|
62
|
+
|
|
63
|
+
- If callback fails with `message=csrf_detected`, the OAuth `state` value could not be validated.
|
|
64
|
+
- A common local smoke-test cause is host mismatch between request and callback (for example `127.0.0.1` vs `localhost`), which changes cookie scope and drops the session state cookie.
|
|
65
|
+
- Use the exact same host for request and callback URLs, and register that exact callback in Entra.
|
|
66
|
+
|
|
61
67
|
## Auth Hash
|
|
62
68
|
|
|
63
69
|
Example payload from `request.env['omniauth.auth']` (realistic shape, anonymized):
|
|
@@ -99,6 +99,16 @@ module OmniAuth
|
|
|
99
99
|
end
|
|
100
100
|
end
|
|
101
101
|
|
|
102
|
+
def callback_phase
|
|
103
|
+
return fail_state_mismatch if missing_session_state?
|
|
104
|
+
|
|
105
|
+
super
|
|
106
|
+
rescue NoMethodError => e
|
|
107
|
+
raise unless oauth_state_nil_compare_error?(e)
|
|
108
|
+
|
|
109
|
+
fail_state_mismatch
|
|
110
|
+
end
|
|
111
|
+
|
|
102
112
|
# Ensure token exchange uses a stable callback URI that matches provider config.
|
|
103
113
|
def callback_url
|
|
104
114
|
options[:callback_url] || options[:redirect_uri] || super
|
|
@@ -199,6 +209,21 @@ module OmniAuth
|
|
|
199
209
|
def present?(value)
|
|
200
210
|
!blank?(value)
|
|
201
211
|
end
|
|
212
|
+
|
|
213
|
+
def missing_session_state?
|
|
214
|
+
present?(request.params['state']) && blank?(session['omniauth.state'])
|
|
215
|
+
end
|
|
216
|
+
|
|
217
|
+
def oauth_state_nil_compare_error?(error)
|
|
218
|
+
error.message.include?("undefined method 'bytesize' for nil")
|
|
219
|
+
end
|
|
220
|
+
|
|
221
|
+
def fail_state_mismatch
|
|
222
|
+
fail!(
|
|
223
|
+
:csrf_detected,
|
|
224
|
+
OmniAuth::Strategies::OAuth2::CallbackError.new(:csrf_detected, 'OAuth state was missing or mismatched')
|
|
225
|
+
)
|
|
226
|
+
end
|
|
202
227
|
end
|
|
203
228
|
|
|
204
229
|
# Backward-compatible strategy name for existing callback paths.
|