Hello, following this thread : https://matrix.to/#/!vVcsnwMNPHhwWsmXST:matrix.org/$3C3HAY2csU6et6bvEPCNKPonNe_Iigz7ZuePZvPBcQw?via=matrix.org&via=t2bot.io&via=privchat.eu

I now have an error cause of "CSRF detected" (prompt on the login page). And I definitely do looking at the queries. Though I don't understand why it would be an issue nor what I should do to make it work.

To be more precise, I have an "Invalid Credentials" message on the login page, but if I click on the actual callback URL, it shows me "CSRF detected".

Exact messages :

• CSRF : "Could not authenticate you from Provider because "Csrf detected"."
• Invalid Credentials : "Could not authenticate you from Provider because "Csrf detected"."

In reply to @telegram_910959537:t2bot.io
Hi, quick question... Is there a container image for version 0.28? Thanks.

Yes here : https://hub.docker.com/layers/decidim/decidim/0.28.0/images/sha256-c6d21e944bebea51c55f26352f90a64db3052978ba2f10ce2a7d5e087d9316c8?context=explore

And all images : https://hub.docker.com/r/decidim/decidim

In reply to @ricocotam:matrix.org

Hello, following this thread : https://matrix.to/#/!vVcsnwMNPHhwWsmXST:matrix.org/$3C3HAY2csU6et6bvEPCNKPonNe_Iigz7ZuePZvPBcQw?via=matrix.org&via=t2bot.io&via=privchat.eu

I now have an error cause of "CSRF detected" (prompt on the login page). And I definitely do looking at the queries. Though I don't understand why it would be an issue nor what I should do to make it work.

To be more precise, I have an "Invalid Credentials" message on the login page, but if I click on the actual callback URL, it shows me "CSRF detected".

Exact messages :

• CSRF : "Could not authenticate you from Provider because "Csrf detected"."
• Invalid Credentials : "Could not authenticate you from Provider because "Csrf detected"."

In reply to @alecslupu:matrix.org
Adrien Pouyet: This is an implementation error. is hard for us to help if we cannot see / test the code ( of the oauth ), and considering decidim's AGPL license you should be Open source

In reply to @ricocotam:matrix.org
My org isn't familiar with open source and is scared. I'm gonna release this in another way. I'm not fan of closed source either. I'll post here when it's released.

In reply to @pau_pokecode:matrix.org
It is not so much a matter of organisational sensitivity, but a legal premise of the licence: https://github.com/decidim/decidim?tab=readme-ov-file#license

Hi, here is my gem for omniauth : https://github.com/Ricocotam/omniauth-wp_oauth/tree/main
It's a replica of what I did. It doesn't work probably, I need more documentation but most of the code is there. The only missing part is the site attribute within the Omniauth strategy. I guess it can be initialized using the usual initializer but I didn't test with this specific gem. Decidim project will be published in the following weeks but apart from the initializer and plugins I didn't do anything. And here is the initializer :

if Rails.application.secrets.dig(:omniauth, :wp_oauth).present?
  Rails.application.config.middleware.use OmniAuth::Builder do
    provider(
      :wp_oauth,
      setup: ->(env) {
          request = Rack::Request.new(env)
          organization = Decidim::Organization.find_by(host: request.host)
          provider_config = organization.enabled_omniauth_providers[:wp_oauth]
          env["omniauth.strategy"].options[:client_id] = provider_config[:client_id]
          env["omniauth.strategy"].options[:client_secret] = provider_config[:client_secret]
         # :site is defined in the actual gem I use for now. I'm planning a switch but I'd rather it to be working first from decidim side
        },
      scope: :basic
    )
  end
end

Note that I'm not a ruby dev and I perfectly don't understand what I do here.

So to come back at my issue, my provider works (I tested using Postman) and it fails on Decidim callback.

I have this call that is redirected because failing :

https://my.decidim.fr/users/auth/wp_oauth/callback?locale=en&code=[code]&state=[state]&iframe=break

The final query gives me the message Could not authenticate you from ProviderName because "Invalid credentials". but I use the right credentials. And if I actually go on the redirected URL I posted above, I get in the red part Could not authenticate you from ProviderName because "Csrf detected".

If possible I'd like to avoid giving away exact URLs because there's a lot of sensitive informations you could access. And the provider mechanism prevents doing a fake account. But if no choice I can provide by "live" direct messaging

Hi, here is my gem for omniauth : https://github.com/Ricocotam/omniauth-wp_oauth/tree/main
It's a replica of what I did. It doesn't work probably, I need more documentation but most of the code is there. The only missing part is the site attribute within the Omniauth strategy. I guess it can be initialized using the usual initializer but I didn't test with this specific gem. Decidim project will be published in the following weeks but apart from the initializer and plugins I didn't do anything. And here is the initializer :

if Rails.application.secrets.dig(:omniauth, :wp_oauth).present?
  Rails.application.config.middleware.use OmniAuth::Builder do
    provider(
      :wp_oauth,
      setup: ->(env) {
          request = Rack::Request.new(env)
          organization = Decidim::Organization.find_by(host: request.host)
          provider_config = organization.enabled_omniauth_providers[:wp_oauth]
          env["omniauth.strategy"].options[:client_id] = provider_config[:client_id]
          env["omniauth.strategy"].options[:client_secret] = provider_config[:client_secret]
         # :site is defined in the actual gem I use for now. I'm planning a switch but I'd rather it to be working first from decidim side
        },
      scope: :basic
    )
  end
end

Note that I'm not a ruby dev and I perfectly don't understand what I do here.

So to come back at my issue, my provider works (I tested using Postman) and it fails on Decidim callback.

First there's this call on the provider :

https://www.myprovider.fr/oauth/authorize/?client_id=[client_id]&code_challenge=[some_code]&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fmy.decidim.fr%2Fusers%2Fauth%2Fwp_oauth%2Fcallback%3Flocale%3Den&response_type=code&scope=basic&state=[some_state]

Then I have this call that is redirected because failing :

https://my.decidim.fr/users/auth/wp_oauth/callback?locale=en&code=[another_code]&state=[same_state]&iframe=break

The final query gives me the message Could not authenticate you from ProviderName because "Invalid credentials". but I use the right credentials. And if I actually go on the redirected URL I posted above, I get in the red part Could not authenticate you from ProviderName because "Csrf detected".

If possible I'd like to avoid giving away exact URLs because there's a lot of sensitive informations you could access. And the provider mechanism prevents doing a fake account. But if no choice I can provide by "live" direct messaging