OmniAuth strategy to login with Auth0
MIT License
Bot releases are hidden (Show)
Added
Fixed
Security
Misc dependabot package updates and version bumps.
Published by stevehobbsdev almost 2 years ago
Added
Changed
Fixed
Security
Published by davidpatrick over 3 years ago
Version 3.0 introduces Omniauth v2.0 which addresses CVE-2015-9284. Omniauth now defaults to only allow POST
as the allowed request_phase method. This was previously handled through the recommended mitigation using the omniauth-rails_csrf_protection v0.x.x
gem to provide CSRF protection.
If you are using omniauth-rails_csrf_protection
to provide CSRF protection, you will need to be upgrade to 1.x.x
.
Now that OmniAuth now defaults to only POST
as the allowed request_phase method, if you aren't already, you will need to convert any login links to use form helpers with the POST
method.
# OLD -- GET request
<a href='/auth/auth0'>Login</a>
# NEW Example #1 -- POST request
<%= link_to 'Login', 'auth/auth0', method: :post %>
# NEW Example #2 -- POST request
<%= button_to 'Login', 'auth/auth0', method: :post %>
# NEW Example #3 -- POST request
<%= form_tag('/auth/auth0', method: :post) do %>
<button type='submit'></button>
<% end %>
In the scenario you absolutely must use GET requests as an allowed request method for authentication, you can override the protection provided with the following config override:
# Allowing GET requests will expose you to CVE-2015-9284
OmniAuth.config.allowed_request_methods = [:get, :post]
Published by davidpatrick over 3 years ago
Added
Changed
Fixed
Published by jimmyjames about 4 years ago
Published by davidpatrick about 4 years ago
Security
Added
connection_scope
in params #99 (felixclack)Published by davidpatrick over 4 years ago
Fixed bugs:
Published by davidpatrick over 4 years ago
Published by joshcanhelp over 5 years ago
Closed issues
Added
Changed
Published by joshcanhelp almost 6 years ago
Closed issues
Added
Changed
Fixed