Skip to content

Commit dfabd56

Browse files
jekhorjekhor
committed
Allow to disable CSRF protection in individual strategies
Some OAuth2 providers ignore 'state' parameter, and don't return it back to the client. CSRF protection with this parameter is impossible for such services. Add a boolean option :provider_ignores_state for disable CSRF protection for individual strategies. Signed-off-by: Yauhen Kharuzhy <jekhor@gmail.com>
1 parent e82ed5d commit dfabd56

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

lib/omniauth/strategies/oauth2.rb

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ class OAuth2
2424
option :authorize_options, [:scope]
2525
option :token_params, {}
2626
option :token_options, []
27+
option :provider_ignores_state, false
2728

2829
attr_accessor :access_token
2930

@@ -68,7 +69,7 @@ def callback_phase
6869
if request.params['error'] || request.params['error_reason']
6970
raise CallbackError.new(request.params['error'], request.params['error_description'] || request.params['error_reason'], request.params['error_uri'])
7071
end
71-
if request.params['state'].to_s.empty? || request.params['state'] != session.delete('omniauth.state')
72+
if !options.provider_ignores_state && (request.params['state'].to_s.empty? || request.params['state'] != session.delete('omniauth.state'))
7273
raise CallbackError.new(nil, :csrf_detected)
7374
end
7475

0 commit comments

Comments
 (0)